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Welcome to the20th anniversary of DEF CON! 


When | started this madness long ago | never conceived of doing it for 20 years 
— yet here we are! 


ku 


As you would expect this year is designed to be a celebration of 20 years, and 
we expect the most number of people ever. There is more entertainment, live 
music, and movie & documentary screenings than in the past. As you have 
already gathered the badge is our most expensive and sophisticated ever, 
the music CD of songs donated by artists is a first, and if all goes well the 
conference CD will actually be a DVD. 


We have more bandwidth, more teams competing in Capture the Flag, a 
new badge puzzle contest, and a faster media server for people to leech 
off of. Contests have stepped up their game this year, the bands and DJs 
have been looking forward to it for months, the first FED to be spotted is back, 
we have the speakers from DEF CON 1 doing turbo talks about what they have 
been up to all these years, and we have a speaker we have been trying to get 
for years, the Director of the NSA! 


Take my word for it, there is more of everything and it is up to you to find it all 
out for yourselves. DEF CON 20 is also a year of change, with some people 
deciding it is best to quit while ahead, to step aside and let new people take 
over. This continual renewal is what keeps the con fresh, and at the closing 
ceremonies we will be showing our appreciation to those passing the 

torch. Hint: Check out Hacker Jeopardy this year, hear it will be epic. 


People are always fascinated with the origins of the con, how it grew 
from 100+ people that first year to whatever size it is this year. | wanted 
to get those who knew in the same room speaking to those who wanted 
to know. That sounds simple, but back in the day there was way more 
incorrect security information available than 
P m» 
. 8 
ev = 


A 


was credibleand accurate. There was 

a hunger for what was going on, 

what worked, and what didn't, that a, 
exists to this day. Sure, now we have > 

search engines and a billion security oo, 
certifications to choose from, but the 7 
basic interest remains. The simple 
formula of good talks, good contestsyand 
good parties allow people to engage in different ways at 
different times. The con runs 100% on attendees and that has 
helped us stay focused since the beginning. 


A little older but also a little wiser, the people that put on 
DEF CON are really looking forward to this year. Thanks for 
making it all possible! 


The Dark Tangent 
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[root@freeside:~] #cat /dev/wifi/ssid/secure 
DefCon-SECURE — Type: 802.1x/WPA2 
[root(afreeside:-] #cat /dev/wifi/ssid/open 
DefCon — Type: 802.1lb/g [OPEN] 
DefConA — Type: 802:1la [OPEN] 


Once again, we have 100 megabaps of Internet bandwidth for you. We have 
WiFi throughout the entire Rio convention center. We continue to provide both 

a “secure” and “free range" wireless network. The Secure network provides you 
access to internal infrastructure/servers and to the Internet — that's it! No client- 
to-client connections (so less chance of finding goatse the hard way). 


Shout-outs to the NOC staff who keep things running every year: Lockheed, 
Heather, Mac, effffn, Rukbat, Videoman, Enki, Mac, #Sparky, and t3ase. This year 
we have interns — Jared, Justin, and Erik! 


Let Us know how the network's working — noc@defconnetworking.org. 
Check throughout con for stats & wrap-up at http://www.defconnetworking.org/ 


We continue to send the DEF CON 
talks direct to your hotel room! We're 

j also going to try to do a multicast 
stream so you can watch from your 
laptop/tablet. We have a new crew 
to help make DCTV ultra kick-ass this 
year! Check out http://DCT V.defcon. 
org for up to date on-site info and 
program options. 


For information or requests email 
dctv@defconnetworking.org 
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My goal last year with the badges 
was to foster communication 
amongst attendees. There was 
phenomenal participation in the 
'mysteries' tied to the badges and 
the conference, and | hope that 
everyone had fun. Helping build 
the hacker global community is 


designed circuit fonhacking-lve 
tried to give you a development 
platform. A platform that 
hopefully you'll take home and 
use. 


| went with the Propeller 

ucontroller for a number of 
reasons. It's no 
secret that | used to 


OWWDWUMFUPQBHPSDAAE work for Parallax, 
MNVZAWZCFYRCDGVWCV and as such have 
JSELMXSHBWAZHNWPUM experience with 

MWXAGDOHWPEEDHIEY their chips. All of 
MMQAMMCKGMEFIIGOG the software for 


NUKPVGSWTBCRHMLAO programming the 
IMAFCPFLXWCBEDZCD Propeller is free, 
HNZEEWRHIWT and there’s quite 
22$ FQAEPEPLZT | "avariety; C, ASM, 
LEKDRTTJPA SPIN- and if you're 
E BMYOSPEYSB feeling nostalgic a 
TNOLAIIXOIW Z80 emulator and 
RUMILERPLWS a C64 emulator in 
QYPVJWYMWL the works as well. 
TXGCCMOUSB The chip itself has 
LJCFWPEXGB 8 32-bit processors, 
UCAEJYEF so the pains 
N f ROMWHLESR involving interrupts 
BUCLKNTGBH and timeslicing 
TFWIOMCAGPIJ are non-issues. 


a great side benefit that | always 
hope | canbe a part of. 


This year | decided to try and 
combine the awesomeness of the 
legacy of electronic badges Joe 
had set, with the well-received 
badge challenge from last year, 
but with a twist - rather than 
handing you a purposefully 


Fabrication of the 

badge was all done 
in the US this year as well, to avoid 
all the import issues DEF CON has 
encountered in the past. 


The VGA and PS/2 connectors 
were left off of the build 
intentionally, so that the badge 

is lighter while you wear it at 

con- but everyone got them as 
encouragement- either to visit the 


I 
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Hardware Hacking Village and 
attach them here, or to solder on 
at home. Now you have an excuse 
to finally learn to solder if you 
haven't before. Drop by the HHV, 
they'll teach you. You can power 
the badge via the USB connection 
or batteries, either one. 


The USB connector can be used 
with a serial terminal (some 
output may already be there on 
boot, hint hint), and I’ve broken 
out I/O pins (on the top) for your 
hacking pleasure. 


The badge challenge this year 

is actually two challenges 

in one- the ‘crypto-mystery’ 

game, AND hardware hacking/ 
development/modification. 
Teams completing the game will 
require a ‘modification’ as part 

of their ‘conclusion’, and those 
wishing to submit a hardware mod 
need to do so with a team with the 
appropriate 'codeword' discovered 
inthe game. Now you have to talk 
to each other ;) 


Hints for the game will be 
forthcoming from my twitter 
account (#1057), but here's your 
first one: 


Happy 20th DEF CON. Thanks DT. 


-Ryan “LostboY” Clarke 
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DEF CON is joining the ranks of 
cool Hacker Spaces world-wide 

by offering not only to stamp your 
Hacker Passport with an entry 
stamp for DEF CON 20, but also by 
offering our own Passport Book. 


The idea is simple, and follows in the path 
that Mitch Altman and Matthew Borgatti 


started over at http://HAR.MS/HACKERPASS 


where you download and print out your own 


passport then take it to various hackerspaces 


as you travel the universe. (hackerspaces.org 
fora great list) When you visit a participating 
space they stamp your passport if you ask. 


DEF CON will be making stamps for all future 
years as well as giving away our own pdf of a 
template passport, and for those of you not 
so hot with paper and staples we will have 
one for sale pre-made in the vendor area. 


Get 
yourself 
stamped 
atthe info 
booth 
orthe 
human 
reg area! 


HACKER 
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The média server from last year is back! Upload and 


Download! WarEz AlerT! 


Point your browser at ftp://dc20-media.defcon.org or we bDAV to port 5005! 


Last year it Was a Synology 4llslim NAS server that was pumping out 160 Mbps, as fast as its 
little low power processor could go. The newer hardware for this year should lead to faster 


downloads. 
What you will find: 


Images of this year’s conference materials, music, art and pictures as well as everything we can 
find from years pastas well as a limited reading directory and other security odds and ends. 
Grab what you want, and please upload and share what you have related to the con. We would 
love to get pictures, write ups, wordlists, whatever you may have! 


And for those of you in a rush we will also have physical wired LAN connections to the media 
serveratthe Info Booth where you can plug in, get a DHCP address, and start leeching directly. 


Play nice! 


Hacking is the future. Having the skills 

to control your own destiny, to bend the 
crazy information stream to your will, and 
to protect yourself from digital harm will 
only become more crucial as time goes 
forward. 


But hacking is also the past. There are 
amazing things to be learned from the 
story of how we got to where we are. 
There's a wealth of actionable insight 
available to you in hacker lore and legend. 


DEF CONis trying to do its part to keep 
that information available and free, 

via the DEF CON media server. In it, we 
archive as much as we can of DEF CON's 
past content, and whatever we can scare 
Up from other Sources and host (with all 
the appropriate persmissions firmly in 
place, natch.) Want to learn how Aaron 
Higbee and Chris Davis turned an old 
DreamCast into a phone-home device? 
It’s there in the archives for DC 10. Feel 
like reliving the insane rockstar-ninja- 
pimp introduction of Back Orifice to the 
world at DEF CON 7? We have it (Spoiler: 


there are pyrotechnics and profoundly 
misplaced telco equipment.) Even if 
you're just doing independent research 
onthe effects of free beer on higher 
cognitive function — we have a couple 
episodes of Hacker Jeopardy just for you. 
[Ed. note: Winn, never shave. Shaving 
ruined Trebek.] There are even a few 
hacker documentaries archived there. 
Visit, learn, marvel and be entertained. 


https://media.defcon.org/ 


The story of how ordinary hackers tilted 
the paradigm of technology and power 
ever so slightly closer to the little guy 

is important, maybe one of the most 
important stories of our time. We have 
some of the pieces, but we’re hoping 

to assemble more of the puzzle for 
posterity. 


That’s where you come in. If you have 
cool, hacker-related infoz, in any digital 
format, that you'd like to see in the 
archive and shared with the world, send 
us an email at dt@defcon.org. 
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Saturday, 21:00-04:00 in Track 1 [Rio Pavilidn 8-11] 
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BEVERAGE COOLING 
CONTRAPTION CONTEST 


Saturday at 13:00 on the Miranda Patio 


The fact is that many of the beverages we 
consume are just plain better when they are 
chilled. Hackers are always making tools to 
make their lives better. Why not tools that 
chill beverages? 


Let’s cool some beverages! Sure we know 
how to drink em, but how fast and accurately 
do you think you can chill them?? . 


Teams will pit their creativity and ingenuity 
tothe test. Their contraptions will be tasked 
with taking an outside temperature beverage 
(probably 83+ degrees Fahrenheit depending 
on the Las Vegas sun) and chilling it to 
exactly 42 degrees Fahrenheit this year. There 
are bonuses for per beverage chilled and 
penalties for missing the target temperature. 
After adding both penalties and bonuses, the 
fastest time wins! 


The Beverage Cooling Contraption Contest 
is always entertaining for both contestants 
and spectators. Once a beverage has 
passed through each contraption and 

been measured for science, it is no longer 

of use to the contest and becomes waste 
product. This contest always has plenty of 
glorious liquid waste product that must be 
“leaned” up and “disposed” of. Luckily, there 
are always many willing contestants and 
members of the audience to help us with this 
terrible chore. 


Come and see the technological contraption 
wonders that chill glorious beverages. 


Some teams do it for prizes. Some teams:do 
it for glory. Some teams do it for SCIENCE! 


Everyone at this contest watching or 
competing is sure to have a great time. So 
come on down to the Miranda Patio on 
Saturday at 1:00pm. 


Official Rules and team sign ups are at the 
DEF CON Forums contest area. 


DC20: [Official / Unofficial] [Parties / Social 
Gatherings / Events / Contests] "Beverage" 
Cooling Contraption Contest 


= 


/ 


BLACK BAG 


13:00 — 17:00 In the Contest Area 


At past DEF CONs Deviant Ollam and his 
company, The CORE Group, featured the 
Gringo Warrior lockpicking contest. In that 
scenario-based escape game, participants 
had to "break out" of a virtual prison cell and 
escape kidnappers in a quest for freedom. 
Many came, many succeeded, all had a good 
time. In this latest contest designed and built 
by The CORE Group, you will use similar skills 
and cunning... but with the aim of getting IN 
and then getting BACK OUT from your target 
building. 


Black Bag is a team-based physical 
penetration event. Three-person teams 

will be tasked with infiltrating the offices 

of a shadowy super-criminal with the 

goal of uncovering details of his plans 

and associates. Using genuine tools and 
equipment used in the field, you will have 

to compromise physical locks, disable 
surveillance systems, copy keys, access 

and photograph documents, gather 
information from computer systems, unlock 
smartphones, and even attempt to remove a 
desktop computer from an office WITHOUT 


=- powering it off. 


Pulses will race... brows will sweat... sparks 
may even fly! In the end, we will see how 
many objectives you and your teammates 
can accomplish in ten short minutes without 
being caught or leaving any evidence behind! 


CTP: CAPTURE THE 
PACKET 


09:00-19:00 in the Contest Area 


Capture the Packet is inits third year, now a 
Black Badge Event !. CTP Capture the Packet 
is a one hour "live traffic analysis game". 

Here you will see no static PCAPs, it's like 
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m4. on the wild, wi k west internet. You are 


competing against some of the best traffic 
and forensicanalysts. Use your Packet FU.— 
and analysis skills to beat your opponent and 
prove you can “Capture The Packet”. 


Contestants will monitor the hostile CTP 
network, use traffic analysis skills to look 
for clues, solve puzzles, trivia, and complex 
analysis questions — Answer them correctly 
and receive points, answer them incorrectly 
and you lose points. The high score in 

that round and move the Final round on 
Saturday evening where you have a chance 
to complete for some really great prizes, 
including the DEF CON “Black Badge". 


Register online at "CaptureThePacket.Com" 
or at the CTP table here at the conference, 
provided space is available. Check out our 
facebook page for static pcaps to help build 
your skills and give you the confidence to 
register to compete at DEF CON 20. 


CRACK “ME IF YOu CAN 


48 hours straight. 23:59pm Thursday July 26th — > 23:59 
pm Sat Jul 28th 


Teams have 48 hours to crack as many 
passwords as possible. The hashes are 
provided (and generated) by the KoreLogic 
team to range from simple to "challenging". 
The teams are required to crack, recognize 
patterns, innovate solutions to crack more 
passwords, and then repeat the process over 
and over again. The trick is winning is the best 
combination of team work, good wordlists, 
rules, hardware, and being able to use PGP/ 


. GPG email properly. The contest is designed 


sothat even password cracking beginners 
can have fun and crack lots of passwords. 
Butatthe same time, the advanced teams 
of the world's best password crackers will 
be burning the midnight oil to crack as many 
hashes as humanly possible in the short 
amount of time. This is our 3rd year running 
the contest, and we have a bunch of new 
tricks up our sleeves for "challenges" that 
teams will try to win. TrueCrypt encryption? 
Sure! MD5s-? of course! NTLMs galore. ZIP 
files? RAR Files? SHA256? Hash formats 
unsupported by any tool — but still used in 
the “wild” ? Expect it ;) Fire up your GPU 


cards — ramp Up yóur EC2 clusters, Your 
college doesn't need that big ol’ cluster over 
arandom weekend in July does it? Use that! 
The teams are fighting for $1,000 dollars in 
cash (split between Ist, 2nd and 3rd place). 
All teams must have at least 1 member onsite 
at DEF CON. 


CRASH AND COMPILE 


20:00-24:00 


A programming contest crossed with a 
drinking game. What can possibly go wrong? 


DARK TANGENT’S 
| TAMPER EVIDENT 
' CONTEST 


Noon Friday to 2pm Sunday In the Contest Area 


The world is full of ‘tamper-proof’ packaging. 
You’re expected to trust it, but how strong 
are those measures, really? This is a contest 


| 1 " Rm . about defeating these physical measures in 
“=~ . . adocumentable, elegant fashion that leaves 


. notrace of your attack. You can enter alone 
or with a team, and you can even enter the 
'Unlimited 'class that allows you to use any 
tools or gear you can get your hands on. 


| UST @ DEF CON 
| MYSTERY CHALLENGE 


T All Con 


— The LosT@DEF CON Mystery Challenge 
comes out of retirement for DEF CON 20. 
Although registration takes place prior to 
con, DEF CON 101 offers unique opportunities 
for con newcomers to be placed on existing 
teams. Teams never have any foreknowledge 
regarding the challenge each year, only 
knowledge of past challenges provides any 
possibility of preparation. Past challenges 
have incorporated elements of social 
engineering, networking, electronics, 
mathematics, physics, physical security, 
-"linguistics, pop culture, lockpicking, 
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nowledge, reverse 
@ngineering, riddle/puzziesolving, costuming, 
roleplaying, bookbinding, and what ever else 
LostboY/1057 (Ryan Clarke) can. come up 


with that year. The goal is to have something 
fun for everyone participating, and creating 
new friendships (and enemies?) while 
competing in one of the most challenging 
Defcontests (trials of pain?) . Originally 
created as an interesting way to give free 
hardware to interested HUMAN attendees, 
teams often leave the contest with a sense of 
accomplishment and free hardware. Winners 
of the mC are generally rewarded with a DEF 
CON black Uber badge. Hackers of the world 
unite 


Pbzr ba thlf, EBG guvegrra? Lbh jvfu vg jnf 
gung rnfl. Jung qb lbh guvax guvf vf, gur onatr 
pbagrfg? 


OPEN CTE 


In the Contest Area 


Open CTF is a Capture the Flag contest that 
is open to any and all attendees. This year’s 
game features a new style of competition 
that combines both Jeopardy-Board and 
Attack/Defend styles into one high-intensity 
game. Unlike previous years and other 
contests, this year’s OpenCTF will be played 
as asingle-elimination tournament, with 


multiple rounds spread out over three days. 
The best will win, but not at the cost of 
spending their entire DEF CON 20 experience 
huddled over a laptop in a dark room listening 
to repetitive electronic music and munching 
on magic pills. 


PROJECT 2 


Friday 09:00-20:00(ish) Saturday 09:00-20:00(ish) 
Sunday 09:00-14:00 in the Contest Area 


Project 2 is adrop-in contest for novices 

to experts to hack on while at the con. It is 
designed for contestants of all skill levels to 
stop, play, and enjoy a challenge without prior 
registration or commitment for the rest of 
con. Unlike most contests, we will help you if 
you get stuck. 


REBOOT ARG 


24/7 


Players need to watch the trailer for REBOOT 
at www.rebootfilm.com, and see what they 
can find. When Players finds anything they 
think is an Easter egg or a "key" to the next 
level, they need to send a direct message 

to REBOOT on Twitter (@reboot_film) for 
confirmation. We will respond letting players 
know if they have found a clue or if they have 
reached a new Level. Note: you must follow 
Us on Twitter in order to send us a direct 
message. How players get points? Points: 
Level 1 = 500 (Players get these points just 
for playing the game) Level 2= 1,000 Level 3 
= 1,500 Level 4 = 2,000 Level 5 = 2,500 ...and 
so on. How many levels are there? Hehe... 

we can’t tell you that. :) Clues or hidden 
message that Players find (and are confirmed 
by REBOOT) are worth: 100 points each. 
What Players win? Our Overall Champion 
and #1 Player will win a free HD download 

of REBOOT upon release; the Official 
Soundtrack signed by the composer, and an 
11x17 Poster of the film signed by the writer/ 
director. The Top 5 players will win a free HD 
download of REBOOT upon release. The Top 
10 players will win a free digital download of 
the Official Soundtrack for REBOOT. Good 
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talents. 


THE SCHEMAVERSE DEF 
CON TOURNAMENT 


Thursday — Saturday 09:00-19:00 and Sunday 09:00- 


12:00 


The Schemaverse is a space-based 
strategy game implemented entirely 
within a PostgreSQL database where you 
compete against other players using raw 
SQL commands. Use your SQL skills to 


© AND MOUSTACHE 
-. CHAMPIONSHIP 


gonnabebumpingsome hardcore bróStep 
all weekend and have some totally sweet 
challenges this year. The game is suppossed 
1 torun Fri and Sat 10:00-10:00 and most of 
the day on Sunday. Should give us plenty of 
time to show these fauxbros what's up and 
still slam some jager bombs at the clubs! 


DEE CON BEARD 
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to do it, get the FED 
vote on whether they 


ooking for “pseudo- 
e more than enough gun and 
est powers for this 
tractors and off-duty 


rn for the good- 

vill receive from the 
Federales whose 

wn receive the equally 
ed” shirt. Let the soft, 
othe all the hurt away. 


DEF CON SHORT STORY 
CONTESTI 


For the past few years I have been running a 
shortstory contest on the DEF CON Forums 
(https://forum.defcon.org/). These stories 
are tune with our community, | wanted stories 
about hackers, hacking, science, technology, 
nerdy things, geeky things, zombie things. 
This year | wanted contestants to tie their 
stories in with the conference itself. So if they 
wrote about zombies chasing a group of 
young folk, they better be at our con, staving 


; P 3 -00i ; | ..— Inthe Contest Area off ahoard of the undead while building a lab 
Ri " um 00, Sat interactively command your fleets to glory AESCASO ONIS he Ap- | T ted Feds: Are 2 you a Fed so crafty to find a cure forthe T Virus. (Believe it or not, 

during this weekend-long tournament for the or DEF CON 20 - The 25,000€ Hacker © Due to the growing number of awesome A ted? Did you get the someone actually wrote a similar premise) 

ee yburPL/BESQL fools midi!!! Come and be a lucky audience ve beards at DEF CON and the (popularity?) of ell that we think you're I've included the past 3 years worth of short 


unusual items and complete insan 
This year will be our 15th year cae I 
To celebrate we hi ome insa rpris 

With prizes M com,as | 
well as items from each and every vendor. Jj 
in your vendor room, the rewards will be- 


amazing! Be sure to follow us on Twitter @ 
defconscavhunt and on px athttps:// ` 


strong, wield it to write Al and have your fleet 
command itself while you enjoy the con! 


member who will participate with a DEF CON 
Celebrity i in a fast paced game of Pyramid! 
Mit may be the last Dick Clark property to 
- be Seacrested... so we're bringing it to you 
_ FIRST! Every contestant has a chance at the 
FABULOUS PRIZES—all the way up to the 


the shitshow that is beardsmanship, it’s time 


that folks were recognized for letting their 
unix beards fly. 


NETWORK FORENSICS 
PUZZLE CONTEST 


E 
— .. Inthe Contest Area 


is it that contacting 

(I know, good luck) in 

l get you on the mailing 
he Fed" shirt. If you 

e you need to find Major 
icial Avatar for trading 
his might get you spotted, 
ovements. Major 

s access to the list - but 
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stories on the conference DVD for you to read. 
You will find no hair tussling in the breeze, 
bodice ripping, stories that you can find in 

the romance bin. No matter how you dress it 
up with tech, it’s not worth it to me read nerd 
porn unless it's a tiger direct or fry's circular. 
You can follow me on twitter at Niki7a if you 
want to, If this seems like an exciting method 
of communication to you: 


www.facebook.com/defconscavhunt and " 3 P ou think you are you can r 
be sure to enjoy this discount while shopping B m , ry SE ` The Network Forensics Puzzle Contest is a l Per ae 4 denk Pe. us 
at http://www.thinkgeek.com using code | 10:00-22:00 Fri-Sat, 10:00-? Sunday in the Contest Area - . challenging mystery requiring contestants prep y E 


DEFCONI2, good for $10 off $60+ orders from 
7/26/12 to 11:59pm ET E^ 5 


THE A ! 
STRIKES BACK - SECTE 
3 (SOCIAL ENGINEERING 


CAPTURE THE FLAG 3)- WALLOE SHEEP 


Friday-Sunday in Palma E-F 
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Social-Engineer.org is challenging you. Wea 
inviting those of you who think you can use 


guard down when connecting to any public 


5 Hours of Operation — 09:00 — 19:00 in the Contest Area 


Returning to DEF CON 20;the MM T D The Wall of Sheep is an interactive look at 
what could happen to you if you let your 


| SupBroseph!? . af , 


LI 
| | was playing this sick game of ultimate today 
- . with one of the other startups at our co- 
pa working space. They were burning super | hard - 
after we kicked their ass and started talking 
mad shit. One of the dudes starts talking shit 
about my eaves? chops and | was all 
. like, Weider me, | bro!" Then he was all like, 


to forensically analyze packet captures (and 
more!) to uncover an evil plot. 


(SPOT THE FED 


Of course you know they walk among us, 
these badge-wielding, security-clearance 

T having dot gov types. You've got the warning 
—- signs down, from the haircut to the tucked in 
shirt, from the shifty eyes to the sun-kissed 
skin. There's really only a few questions 
left. Do you have the stones to make your 
suspicions public? Do you have a line of 
questioning that will force your quarry's 


pre 2 


hand? Can Priest make your target crack and 


Unityto come 
BloodKode 
onor of a 
drawing of 
ou donate. Heck 
aking your drinking tab 
«now what we mean) It’s just 


BlLooDKODE 


of meet the author event, so be sure to visit 
the DEF CON Forum Meet 19:00 Saturday in 
Palma G&H and check it out! 


Here are the winners for this year!! Thanks 
everyone who submitted! 


First Place - A Silent, Private Place, by Davien, 
won 2 human badges! 


Second Place -DEF CON Unbound, by John 
McNabb, won 1 human badge! 


ethical social engineering skills to stretchyour * network. The Wall of Sheep passively 
limits as a social engineer. Aunique blendof © monitors the DEF CON network looking for 
information gathering, planning and attack „traffic from users utilizing insecure protocols. 


vector execution will challenge the very core The Wall of Sheep will be hosting several 
of every participant. This will be a different SE BackTrack 5 — Network Sniffing TOT, using 


challenge as our focus is not on who can “get” Wireshark, EtterCap, Dsniff and other 
traffic analyzers. We will also be hosting an 


win you the rare and coveted “I Spotted the . about! helping out someone who you will 
Fed" t-shirt? ^ never meet and giving them the gift of life! 

T r No Mohawks this year but Awkward Hugs 
To get in the game, You need to alert Priest of : 3 3 
VE en. He CR be reached in person, will be given & the silent thanks of the person 
via the Goon team, or through the info booth. you helped & their loved ones! So donate 


if Priest and point the FED out to him, early & often......err scratch that last part! Just 
Sela est anc point the » MUR remember the blood of hackers run through 


WEM Sy your veins time to share that gift with the a 
6 Li world! 


People's Choice - DEF CON Unbound, by John 
McNabb, won another human badge! 


Honorable Mention- DEF CON - The 
Beginning of the End, by Siobhan Morrison 


hacker meetup called’ DEFC ichis 
ZA ho a s 20th Anniversary this year. Iwas — 
thi we grab Some more bros, road trip 
out to vegas, and show these scrubs how 
-to rage like real brogrammers. | hear they're 


\ Deets ite, “SE DUO S —————— iil — "aN 


Once againathe DEF CON Official CTF contest 
is the biggest it's ever been. Hundreds of 
teams around the world have fought their 
way through a brutal bracket system in order 
to get the coveted invitation to play in the 
big show at DEF CON 20. The 20 gangs of 
network Highlanders who made it here are 
probably at it as you read this. The contest 
goes on until the bitter end of the con, leaving 
just enough time to finish the scoring and get 
everyone into the closing ceremonies. 


The twenty teams competing the this years 
contest, Binjitsu IV, come to us through quite 
a few different channels: 10 teams got their 
spot by dominating the open qualification 
round hosted by Binjitsu IV's organizer DDTEK. 


We also invited teams who showed their skill 
by winning other respected CTFand hacking 
contests from around the world. 


And finally, in a new twist, the final slot is 
being auctioned on Ebay. Team "cashcows" 
will get their slot by winning the auction, with 
proceeds going to a combination of contest 
costs and charity. 


It's hard to overestimate the level of difficulty 
here. The contests get more difficult every 
year, and the set of skills a team must display 
to win gets wider as well. Every single team 
here deserves your admiration. DEF CON and 
DDTEK wish the best of luck to all of them. 


Inorder to become a master of binjitsu, it is essential to understand how you will be 
measured. 


Services constitute the heart ofthe CTF game. Each team must attack and defend 
identically configured servers, each running some number of custom services. The idea 
is to analyze the custom services for vulnerabilities and to develop both an attack and 
adefense strategy for each service. By exploiting a service an attacker gains access 

to privileged information which is generally referred to as a key (aka flag, aka token). 
Keys may be readable (steal information), writable (corrupt information), or both. 
Teams demonstrate that they have stolen information by turning stolen keys into a key 


. submission server. Teams demonstrate that they can deface a service by overwriting 


keys with a replacement key unique to the attacker. For both of these activities, teams 
are awarded points. In order to keep things interesting, keys are periodically updated 


. bythe contest organizers, allowing teams to demonstrate that they can maintain 


continued access to their victim’s data through submission or corruption of the new key 
values. Additionally the period during which teams may submit stolen keys is finite (for 
example within 30 minutes following the steal) in order to reduce the effects of key 
hoarding (displayed score not representative of actual score) and key sharing (where 
teams obtain keys by trading with other teams rather than via attacking other teams). 


Ratherthan simplyawarding a point perstolen oroverwritten key, the scoring 
systemtreats keys as commodities (such as diamonds). The following factors are 
taken into account when deriving ateam's overall score: 


1. The more keys that are stolen/overwritten for a particular service, the less each key is 
worth. 


24 Teams earn more points for demonstrating diversity of attack across a given service. In 
other words, teams can score points for attacking the weakest defender, but they can 
earn far more points by demonstrating that they can attack across all other teams as 
well. 


3.  Thelongerateam'sattacks go unnoticed, the longer that a team remains the sole 
possessor of an 0-day, the more points a team can accrue for a given service (effectively 
cornering themarketon that commodity) 


Teamsare awarded points as follows: 


T For a given service up to 1800 points are available for distribution to the teams. 900 
points for reading keys from their 9 opponents and 900 points for overwriting keys of 
their 9 opponents. 

2 Fora given attacker, a given victim V, and a given service S, the attacker's partial 


score for the stealing keys from the service is their percentage (0-100) of all keys 
Stolen from V via service S. 


3. Fora given service S, an attacker's score for service S is the sum of the their partial 
Scores (across all of the other teams) for that service. 


4. Ateam's overall raw score is the sum of its scores across all services in the game, 
minus defensive penalties for any of their keys stolen by other teams. 


5. Ateam's raw score is then multiplied by a measure of the availability of the team's 
services for the duration of the game. Note that availability does not imply the service 
is unexploitable, so the team may not in fact be defending the service. 


One example of a partial score awards a team 100 points if they are the only team to 
steal keys for service S from victim V, even if the attacker steals only one key. Thus 
thisisa very valuable key. In another example team may have stolen 400 keys, team 
2 300 keys, team 3 200 keys, and team 4 100 keys from service S on victim V. In this 
second case, the teams are awarded 40, 30, 20, and 10 points respectively. In this 
case, individual keys are worth less because keys for this service are common. 


Aninteresting effect that may be observed under this scoring systemis that a team's 
score may actually decrease from time to time. For example, the first team to submit 
a key for a service/victim will have the one and only key submitted and therefore a 
partial score of 100 (percent) for that service. If a second team submits a key for the 
same service/victim each team's partial score will now be 50 points andthe first 
team will see a decrease in their score owing to the fact that their 0-day is no longer 
as valuable as it once was. On the other hand if the first team manages to capture 99 
keys before the second team submits their first key, the first team will see their score 
drop almost imperceptibly from100 to 99 while the second team'sscore will be only 
1. This situation reflects the first team's early entry into the market for these keys and 
theirnearmonopoly on these keys. 


Thosefamiliar with the "breakthrough" system of past CTFs, may note that there 
isnomentionof breakthroughs in the description above. We feel that this scoring 
system rewards 0-day when 0-day is used effectively to build one's hoard of keys 
ahead of any other team developing their own version of the same exploit. Further 
thissystemallows teams to delay the use of their O-day in order to keep the number 
of keys in play to a minimum with the associated risk that another team will beat 
themto the punch. Thus, in addition to testing a team's offensive and defensive skills, 
this scoring system attempts to make teams consider the strategy of how, when, 

and where to make use of their O-day. Additionally it places increased emphasis on 
keeping exploits stealthy. 


Stop by the CTF room and talk to a DDTEK representative for more details on the 
scoring system and displays you will see during the contest. 


~ur CTF cr3w 
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BE THE “MATCH - 
NATIONAL “MARROW 
DONOR REGISTRY DRIVE 


Fri — Sun, 09:00-18:00 in the Contest Area 


Back for its third year! Take part of the coolest 
"Bio-Hack" around... register with "Be the 
Match" at DEF CON, and take the first step to 
become a Bone Marrow Donor, by signing up 
on the Be the Match donor registry. 


DEE CON 20 forum 
EET 


Friday at 21:00 in Palma G-H 


The “Forum Meet” offers the DEF CON online 
community the opportunity to meet and put 
a face to the names and avatars they see year 
round on the DEF CON forum. It’s a place to 
see old friends and make new ones. If you are 
a forum participant or “lurker” Stop by and 
say hello. 


If you are new to DEF CON this is an excellent 
opportunity to become part of the year round 
DEF CON experience. This event gives you, 
the new DEF CON attendee an opportunity 

to join in, and gives you a chance to ask 
questions about the Con that you may not 
have other opportunities to get answered 
elsewhere. 


It's the place to meet other likeminded 
individuals ina casual easy going 
atmosphere, no loud music or flashing lights. 
A place conducive to just talking and having 
good conversations. 


The "Forum Meet" is not meant to bea 
"Destination" It is a “starting point" a place to 
meet people with similar interests and'then 
go explore all that DEF CON in Vegas has to 
offer! 


HACKER KARAOKE 


Thursday: 21:00-02:00, Friday or Saturday (TBD): 21:00- 
02:00 in Brasilia 1 


Do you like music? Do you like performances? 
Want to BE the performer? Well trot your 
happy ass down to Hacker Karaoke, DEF 
CONV's first on-site karaoke experience where 
you can bea star, even if you don't know it. 
Don't want to be a star? At Hacker Karaoke 
you can also take pride in making an utter 
fool of yourself. Join Bascule and OverDose 
as we put the casbah in “Rock the Casbah”. 


Toxic BBQ 


Thursday 16:30-22:00, at Sunset Park 


Every year thousands of Hackers and 
Computer Security Enthusiasts attend DEF 
CON the worlds largest underground hacking 
convention: Before the convention starts the 
Toxic BBO is held: Its an event put together 
by attendees, not funded, organized, or 
sanctioned by the convention. Attendees 
donate thier time, money and food, and put 
together a huge kickoff to the con. 


Every year attendance grows, and so does 
the selection of food, from Yak & Elk, to Ribs 
& Beer, the Toxic BBQ has something to offer 
everyone. Its not just a place to eat and drink, 
its a place to meet and greet your fellow 
attendees before the con. 


Best of all, its free. You are encouraged to 
contribute something, whether it be food, 
donation, your cooking skills, or even a ride to 
the BBQ site. Many of the organizers can be 
found at the BBO pits. 


QUEERCON 


Social Mixer: Friday & Saturday - 16:00 @ l-Bar 
Party: Friday - 20:00 @ Brasilia3 


Queercon is backand celebrating its 9th year! 


Looking for a safe place you.éan relax and 
meet other LGBT hackers? 


nd Saturday starting at 4PM 
for the Queercon Mixer at I-Bar. It's a great 
time to drink, socialize and meet other 
people. 


Friday at IOPM Queercon kicks into high gear 
with the hottest DJs at Defcon. Queercon is 
open to all LGBT hackers and friends. No bad 
attitudes and no invitations needed - come 
as you are. You are beautiful and we love you! 


Stay up to date with all queercon activities at 
queercon.org 


LOACTIVE FREAKSHOW 


Saturday night at the pool 


Representative of both the DEF CON 
community and the values of lOActive's own 
principles, the Freakshow is always inclusive, 
fun,and constantly pushing the boundaries 
of what is new and exciting. 


The Freakshow has humble beginnings. 
Eaunched in 2007 as.an.opportuünity to 
utilize some extra spáce and give.back to 
theinformation-security.commuünity, we 
expected 500 people to attend; and were 
astounded by 1000 party-goers. Last year's 
Freakshow saw record attendance of over 
4,000 people and included live music, fire 
dancers and all around good spirit. This year 
DEF CON 20 is posed'to be the biggest and 
most electrifying yearin the history of the 


conference and,the Freakshow is no different. 


CelebratingiounSth anniversary,we look 
forwardto this year being bigger, better and 
freakier than ever before! 


zh 
hi 


LOCKPICK VILLAGE 


10:00 — 18:00 daily in Tropical C,D,G,H 


Want to tinker with locks and tools the likes 
of which you’ve only seen in movies featuring 
cat burglars, spies, and secret agents? 

Then come on by the Lockpick Village, run 

by The Open Organisation Of Lockpickers, 
where you will have the opportunity to learn 
hands-on how the fundamental hardware of 
physical security operates and how it can be 
compromised. 


The Lockpick Village is a physical 
security demonstration and participation 
area. Participants can learn about 

the vulnerabilities of various locking 
devices, techniques used to exploit these 
vulnerabilities, and practice on locks 

of various levels of difficultly to try it 
themselves. 


Experts from TOOOL and Locksport 
International will be on hand to demonstrate 
and plenty of trial locks, picks, shims, and 
other devices will be made available. By 
exploring the faults and flaws in many 
popular lock designs, you can prepare 
yourself not only for possible work in the 
penetration testing field, but also simply gain 
amuch stronger knowledge about the best 
methods and practices for protecting your 
own infrastructure and personal property. 


EF EE Se 


WIRELESS VILLAGE 


10001800 daily in Tropical A 


Think you have the skills to crack WPA/WPA2 
passwords? 


Are you creative and like to roll your own? 
How about RF antenna's — do you have what 
it takes to make one that will measure up? 


Want to obtain the information you need to 
pass the Amateur Radio Technician Class 
license exam? 


Done anything with Bluetooth lately? 


Get these answers and more at the Wireless 
Village. Learn about wireless (802.11, 
bluetooth, software defined radio, and more) 
and Amateur Radio all in one place at the DEF 
CON 20 Wireless Village. The one place you 
will not want to miss.W 


HARDWARE HACKING 
VILLAGE 


10:00 — 18:00 daily in Rio Pavilion 1 


Many Defcons ago LostboY (aka 1057) 
walked from one end of the DEF CON 
conference spaces to the other, shouting the 
question, “Who wants to learn how to build 
asimple robot?" Eventually a large group 
wound up sitting on the floor in the contest 
area building and programming robots. 
Inspired by that event, Russ Rogers and LosT 
together organized what would become 
aregular DEF CON fixture — a dedicated 
space for hardware learning, hacking, and 
exploration: the Hardware Hacking Village 
(HHV) was born. The HHV has been helped 
along by many, such as Kingpin and a horde 
of volunteers. As of yet we have not burnt 
down any hotels with soldering irons. 


This year Russ and Ryan (LosT) decided to 
givea long time volunteer, "A" a chance to 
function in an administrative lead role in the 
HHV. Please welcome A and the volunteers 
he's got helping out this year. LosT, Kingpin, 
Russ and others will still be around from 
time to time. Soldering stations will be 
provided for soldering to the badge or other 
experimentation. 


If you've ever wanted to learn to solder, 

stop by - lessons are in an open format and à 
ongoing. If you've got hardware skills to 

share, stop by as well, we welcome those `i 
willing to share their knowledge: We will have 
people on hand to help you get started with 
microcontroller programming, circuit hacking, 
and tons of other hardware based hacker 

skillz. Come void some warranties with us. i 
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High, m3 L 
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iu 
" worthyor 100 pointszAnd 


In the beginning DT created 
DEF CON The First. And the 

con was formless and empty j 
of games, and darkness was 
rolling in the deep. 


o — M — 


Din Vain VICA d 


«4 heaped abuse and humiliation 
on every wrong answer, 
and brought forth special 
humiliation for every wrong 
Double Jeopardy answer, which 
denieth the people a glimpse 
of the breasts waiting to be 


ER s Ws - mem 
ie S Ore .à w LIN 


there was evening, and there 
was morning — the first DEF 
CON contest with free beer. 
And Winn said, "Let there be 
breasts," and there 
were. And the bare 


breasts pranced bared on stage. And there 
YOu: Tifi NK around the stage was evening, and there was 
7 y QURE i EET as a reward for , morning — the first DEF CON 
Ur ecc 
, kal ENQUGE TU Double Jeopardy, contest with free beer, nudity, a 
IN 4 and Winn called black badge, and humiliation. 
E Pi A Y them "Bad" and 
Q A HA CKER- "Kitty." And there And Winn looked on all that 
E JEQP. A RIY 2 was evening, - hehadcreated, and saw 
» À Fa n and there was . thatit was good. And on the 
morning — the first twentieth year, Winn said 
DEF CON contest to DT, “What the fuck hast | 


And Winn said, “You need a 
contest.” DT said, “Like what?” 
Winn said, “Shit, how about 
Hacker Jeopardy?” 


.. with free beer and nudity.And 
C Winn said to DT, “Let there 
. beablack badge,” and there 
. was. And DT added leather 
. jackets to the rewards. And 


wrought...?" 

a 

JA Andallthe people of the 
twentieth year were invited 
to find out what the fuck was 


And DT said, "Let there be . there was evening, and there wrought. 

Hacker Jeopardy,” and the was morning — the first DEF 

next con there was. And there . CON contest 

was evening, and there was _ with free beer, 

morning — the first DEF CON nudity, and a = 

contest. E black badge. : z 
d 

And Winn said, “Let there - And Winn said, ks 

be alcohol,” and there was si “What the fuck = 

alcohol in copious amounts. ~ u Let there be 

And the beer did flow and “humiliation,” 

the contestants did guzzle and there was. 

and burp. And each beer was 


And Winn 


- 


YOU CAN'T HANDLE THE TITS 


THE ONE. THE ORIGINAL. THE OLDEST & ONLY 
DEFCON EVENT WITH. LREAL SKIN IN THE GAMI 


DON @ FUCK IT UP. 


HACKER JEU 


WINN — GMARK VANNA VINYL ut lt 


TF YOURE REALLY LUCKY, MISS KITTY JUSLIN 


BUT BETT 
SOHOOL YOU! 


ETAL 


FRIDAY 7/27/2012 & SATURDAY 7/28/2012 * 9 PM i RACK 3 * ARRIVE EARLY 


THINK YOU KNOW YOUR SHIT? PUT IT b. IHE LINE. HUMILIATE OR 
BE HUMILIATED. WIN COOL SCHWAG! IF YOU WANT TO THINK & DRINK 
YOUR WAY TO A BLACK BADGE, EMAIL HACKERJ EOPARDY@GMAIL.COM 


DEFC&SN KIDS! 


DEFCON Kids is a not-for-profit teaching kids around the world how to love being white-hat hackers. http:/Awww.defconkids.org 


DAY 1 
FRIDAY 


10:00 - 11:00 


11:00 - 12:00 


12:00 - 13:00 


13:00 - 14:00 


14:00 - 15:00 


15:00 - 16:00 


16:00 - 17:00 


17:00 - 18:00 


18:00 - 19:00 


19:00 - 21:00 


DAY 2 


SATURDAY 


10:00 - 11:00 


11:00 - 12:00 


Classroom 
in Belize 


Meet Top Secret Keynote 
General Alexander 


The Wall of Lambs 
FS and cedoxx 


Geek Out! 
beaker and clOver 


Welcome to DEF CON 20 
Dark Tangent 


DEF CON Badge Secrets 
LOst 


Hacking Hotels and the Law 
Major Malfunction and Max 


Taking Open Source 
Drones Mainstream 
Chris Anderson 


How to Use Social 
Engineering 
Chris Hadnagy 


Movie 
War Games - PG 


Classroom 
in Belize 


Hacking Your 
School’s Network 
Cory Doctorow 


Lockpicking 
Deviant 


Workstations 
in Antonio's Ristorante 


Code Breaking Museum 


NSA 10:00 - 18:00 


SnapCircuits 
beaker and clOver 


11:00 - 18:00 


Wall of Lambs 
FS and cedoxx 


Find a Zero-Day 
CyFi 


Lockpicking 
Deviant 


Hacking Hotels and the Law 
Major Malfunction and Max 


Q&A on Drones 
and 3D Printing 
Chris Anderson 


Movie 
Sneakers - PG-13 


Workstations 
in Antonio's Ristorante 


Code Breaking Museum 


NSA 10:00 - 18:00 


SnapCircuits 
beaker and clOver 


11:00 - 18:00 


Contests 
in Antonio's Ristorante 


Hoff’s NSA Crypto Challenge 


Hacker Board Games 


The Lambs & The Wolves 


CyFi Zero Day Contest 
14:00 - END 


DEF CON Badge Secrets 
15:00 - END 


Lockpicking Race 


Hacker Board Games 


Capture the Flag 
18:00 - END 


Movie 
Sneakers - PG-13 


Contests 
in Antonio's Ristorante 


DoD Crime Scene 
Investigation 


10:00 - 18:00 


Hoff’s NSA Crypto Challenge 


Field Trips 
at DEF CON 20 


Welcome and The Making of the Badge 


Dark Tangent and LOst 


Can you track me now? 


Government and corporate surveillance 


of mobile geo-location data. 
Christopher Soghoian 


Top Secret Keynote 
General Alexander 


The Making of DEF CON 20 
DEF CON Goons 


Changing the security paradigm... 


Shawn Henry 


DEF CON Badge Secrets 
LOst 


Safes and Containers 
Marc Weber Tobias 


The Real Hustle 
Paul Wilson 


Field Trips 
at DEF CON 20 


World War 3.0 - 


The battle for the Internet between 


the forces of Chaos & Control 


Michael Joseph Gross, Vanity Fair 


Hacking Humanity: 


Human Augmentation and You 


Christian Quaddi Dameff 


12:00 - 13:00 


13:00 - 14:00 


14:00 - 15:00 


15:00 - 16:00 


16:00 - 17:00 


17:00 - 18:00 


18:00 - 19:00 


19:00 - 21:00 


DAY 3 
SUNDAY 


10:00 - 11:00 


11:00 - 12:00 


12:00 - 13:00 
13:00 - 14:00 


14:00 - 15:00 


15:00 - 16:00 


16:00 - 17:00 


17:00 - 18:00 


18:00 - 19:00 


Weaponizing Mobile 
Marcus & Erran Carey 


Wall of Lambs 
FS 


The Lambs & The Wolves 


DIY Electric Car 
David Brown 


Practical Privacy Tips 
Moxie Marlinspike 


Hardware Hacking 
and Soldering 
Joe Grand 


Hardware Hacking 
and Soldering cont'd 
Joe Grand 


The Feds 
Jim Christy 


DEFCON Kids TV Production 
DH & Goodson 
14:00 - 18:00 


Coding with Scratch 
beaker and Alex 


3D Printing with Frosting 
beaker and Atex 


Meet the Feds 
Jim Christy 


Chaos & Conirol 


Hacker Board Games 


Coding with Scratch 


Spot the Fed 


Fed Panel 
Priest 


Bigger Monster, Weaker Chains: 
The NSA and the Constitution 
ACLU 


Hacker + Airplanes = 
No good can come of this 
RenderMan 


Busting the BARR: Tracking “Untrackable” 
Private Aircraft for Fun & Profit 
Dustin Hoffman 


Movie 
Hackers - PG-13 


Classroom 
in Belize 


Hacking Roller Coasters and 
the Power Grid with Cell Phones 


Don Bailey 


Hacking Venture Capital 
Phil Paul 


Movie 
The Net - PG-13 


Workstations 
in Antonio's Ristorante 


Code Breaking Museum 


NSA 10:00 - 17:00 


DEFCON Kids TV Production 


DH & Goodson 11:00 - 17:00 


Movie 
The Net - PG-13 


Contests 
in Antonio's Ristorante 


DoD Crime Scene 
Investigation 


10:00 - 17:00 


Hacker Board Games 


Field Trips 
at DEF CON 20 


Robots 
Katy Levinson 


Lockpicking and Hardware Hacking Villages 


Building the 
DEFCON Kids App 
Thomas Leavy 


Fight for Your Right... 
Marcia Hoffman 
Kurt Opsahl 


Cyber Patriot— 
A Student’s Perspective 
Kevin Houk 


Hacking as Practice for 
21st Century Life: 
Preparing the World 
for a New Species 
Richard Thieme 


3D Printing with 
My MakerBot 
Joe Grand 13:00 - 17:00 


Building the DEFCON Kids App 


Thomas Leavy 


14:00 - 17:00 
EFF Workstation 


Marcia Hoffman 


Cryptoglass Clues 
Nico 


3D Designs 


13:00 - 17:00 


The Shark Tank 


EFF Contest 


Cryptoglass Clues 


Contests Area and Vendor Area 


Old School Hacking 
Kevin Poulsen 


Hacking the GoogleTV 
Amir Zenofex Etemadieh 


How to Hack all the 
transport network of a country 
Alberto Garcia 


Awards Ceremony 


19:00 - 21:00 


Awards Ceremony 


a Bie 


THE DARK TANGENT 


LOST 

DT will address the con and officially open DEF 
CON 20. Following his address LostboY will enter 
into the story of mystery and imagination that 

is the badge game this year. (Oh, and talk about 
the making of the badge as well — as much as he 
can sans spoilers.) The dual-phase nature of the 
contest will also be discussed, which includes 
hardware hacks/modifications as well as solving 
the cryptographic puzzle challenges. Finally we'll 
talk about the joys and pains of this year’s badge 
fabrication, which was all done in the USA. 


WITH JASON SCOTT, GAIL THACKERAY AND DEAD 
ADDICT. 


As you may have heard, in honor of our 20th 
anniversary, we have’a’DEF GON Documentary 
in the making by none other than Jason Scott 
of textfiles.com! At the beginning of thishour 
he will give you a quick sneak peek of the film 
and maybe discuss a few juicy tidbits! 


Up next will be Gail Thackery and Dead Addict, 
to give a special introduction to this years VIP. |] 


Twenty years ago, Dead Addict practically begged 

Gail Thackeray to appear at DEF CON, even 

though she was actively prosecuting several of 

his close friends. Since then the government (law — . 

enforcement, military, and intelligence community) 

has actively participated in DEF CON; to the point 

where we've been given the moniker ‘FED CON’. 

Dead Addict will discuss the.evolvingrelationship — 

between government, the hacker community, and 

the civil liberties community. While obviously at 

odds with each other in some areas, there is also 

shared ground between these groups. This year 

he was happy to be able invite Gail again, this 

time not begging as much, and thankfully she isn't F 
b 


prosecuting any of his friends. 


When Gail first spoke at DEF CON Tthere was 


no world wide web, state sponsored computer = 
warfare was the stuff of science fiction, and ) 
international mafias had yet to become major E 


players in computer crime.Internationally known 
for her role in Operation Sundevil, the former 
prosecuting attorney will discuss the changes 

in the computer security legal landscape since 
she first spoke at DEF CON. She will also discuss 
the evolution of the relationship between 

the computer security researcher community 
and law enforcement and government. 


Gail Thackeray is a former Assistant Attorney. 
General and Special Counsel recently retired 
from the Arizona Attorney General's Office. 
Her career prosecuting electronic crimes 
included the investigation and prosecution 

of early infrastructure attacks on a telephone 
network and a power company, as well as 
numerous fraud, cyberstalking and intrusion 
crimes. She participated in the nationwide 
Secret Service hacker investigation known as 
"Operation Sundevil" and attended the firstDEF 
CONConference. She currently works at the 
Arizona Counter Terrorism Information Center 
as a computer forensic examiner. She hasa 
B.A. from Vassar College, a J.D. from Syracuse 
University, and earned the CFCE forensics 
certification from the International Association 
of Computer Investigative Specialists (IACIS). 


Gail and Dead Addict will be introducing our 
special guest General Keith B. Alexander, 


Commander of U.S. Cyber Command and 
Director of the National Security Agency. 


GENERAL KEITH B. ALEXANDER 


Weasa global society are extremely vulnerable 


and at risk for a catastrophic cyber event. Global 


society needs the best and brightest to help 


secure our most valued resources in cyberspace: 
our intellectual property, our critical infrastructure 
and our privacy. DEF CON has an important place 
in computer security. It taps into a broad range of 
talent and provides an unprecedented diversity of 
experiences and expertise to solve tough problems. 
The hacker community and USG cyber community 
share some core values: we both see the Internet 


as an immensely positive force; we both believe 


information increases in value by sharing; we both 
respect protection of privacy and civil liberties; we 
both believe in the need for oversight that fosters 
innovation, doesn't pick winners and losers, and 


retains freedom and flexibility; we both oppose 
malicious and criminal behavior. We should 
build on this common ground because we have 
a shared responsibility to secure cyberspace. 


General Keith B. Alexander is the Commander, 
U.S. Cyber Command (USCYBERCOM) and 


Director, National Security Agency/Chief, Central 


Security Service (NSA/CSS). As Commander, 


USCYBERCOM, he oversees planning, coordinating 


and conducting operations and defense of DoD 
computer networks. As Director, NSA/Chief, 
CSS, he oversees a DoD agency with national 
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foreign intelligence, combat support, and U.S. 
national'security information System protection 
responsibilitiés, GEN AleXander holdsia,B'S“frona 
the U.S. Military Academy, a M.S. in Business 
Administration from Boston University, a M.S. in 
Systems Technology (Electronic Warfare) and 

a M.S. in Physics from the Naval Post Graduate 
School, and a M.S. in National Security Strategy 
from the National Defense University. 


HIGHWIZ 


PYRO, ROAMER, LOCKHEED, ALXROGAN, 
LOST, FLIPPER 

DC101 is the Alpha to the closing ceremonies’ 
Omega. It’s the place to go to learn about the 
many facets of Con and to begin your Defconian 
Adventure. Whether you're a nOOb or a long 
time attendee, DC101 can start you on the path 
toward maximizing your DEF CON Experiences. 


DAKAHUNA 


Cracking Wireless encryption keys is a fundamental — 


capability that should be in every penetration 
tester's skill set. This talk will walk you through 
the basic steps necessary to break Wireless 
Encryption Protocol (WEP) and steps to perform 


- dictionary and brute force attacks against 


Wi-Fi Protected Access (WPA & WPA2). 


RIPSHY, HACKAJAR 


Putting up a flag and asking for help on the Internet 
is not for the faint of heart. When you simply want 
to get started with information security, hacking 

or just playing around with the vulnerabilities of 
computer systems, asking the right question to 
the right person is a crap shoot. Tired of being 

on the outside looking in? This 101 talk will help 
you get your feet wet! It will provide you the 

basic knowledge required when starting out in 

the InfoSec scene. Afraid to ask someone what 
the best NMap toggles are? Can't even get your 
metasploit running? Having trouble decoding your 
tcpdumps? We can help! Spend 50 min. with us 
and jump start the next 50 years of your life! 


SIVIAK 


YOU: are part of the problem. You should count 
yourself among the ranks of the unprepared. You 
are under-educated and fooling yourself. You 
are sheep, you just don't know any better... but 
ignorance is no excuse. You know that much. 


Navigating the world of Social Engineering is 

often portrayed with the image of “Jedi mind- 
tricks" and labeled with terms like *The Art of 
Deception”... These are all just ploys to convey 
mysticism, sell books and add value to a skill based 
on common sense, perception and the ability to 
think further than the end of your own nose. 


It’s time to remove the wool and learn what Social 
Engineering is and how it works. Welcome to a 
crash course in the oldest CLI.... Bring a helmet. 


ROAMER, LOCKHEED, ALXROGAN 


Have you ever wondered how you can translate 
your mad skillz into an actual job? Does coming 
to DEF CON even help you get there? Four 
members of the DEF CON staff will astound you 
with the stories of how they took their experiences 
at DEF CON and turned them into the jobs of 
their dreams. Despite using their DEF CON 
experiences to obtain these jobs, they represent 
four completely different industries: Government, 
Energy, Health Care, and the Video Game Industry 
in a variety of different job functions. Learn from 
their experience and find out what they look 

for (from the community?) when they need to 

fill positions in their respective industries. 


TERRENCE ‘TUNA’ GARREAU 


Fuck a bunch of skiddie tools acquired from bobo 
forums. One does not have to be a master to write 
their own shit. Yoda said it best get off your dick 
and write yourself some Python (Just don't show it 
to Highwiz he might bite it). Also always remember 
to stay in the the wizards good graces or you will 
find yourself publicly humiliated. You can come to 
this talk and find oUt how to be humiliated publicly 
but also: learn some python from a hackers 
perspective. Oh yea: Dongs, Schlongs, and Turds. 


LOST 


Since this is DCIOT, I’ve got some things | want to 
get off my chest — a brief overview of ‘foundational’ 
hacker knowledge that I personally believe 

all hackers should have or would want — from 
subculture references to numerical oddities, 

this will be a meat space core dump of an 
ADD-OCD hacker. (ADD-OCD: I'm constantly 
changing what I’m completely obsessed about.) 
Topics will include mathematics, linguistics, 
programming, hardware, DEF CON, robotics, and 
more. A veritable cornucopia of fun. Or not. 


DR. TRAN 


Everyone relies on their locks to keep things secure. 
From front doors to filing cabinets, they give us the 
sense of security that no one else can get inside 
without the proper key. However, in reality, most 
locks can be picked trivially without any evidence 
of exploitation. You will learn how and why 
lockpicking works as well as what manufacturers 
have done to protect against such shenanigans. 


CHEMA ALONSO 
MANU ‘THE SUR’ 


Man in the middle attacks are still one of the 
most powerful techniques for owning machines. 
In this talk MITM schemas in anonymous services 
are going to be discussed. Then attendees will 
see how easily a botnet using javascript can be 
created to analyze that kind of connections and 
some of the actions people behind those services 
are doing... in real. It promises to be funny. 


ANCH 

OMEGA 

The Internet of Things... It is coming, wearing 
hardware that communicates across the Internet 
is Starting to become a reality, chips are getting 
smaller, as a society we are connected all the time... 
Building these devices is easier than we thought, 
putting them onto a network that is ours... EVEN 
BETTER! Come experience the Darknet of Things. 
Learn what we built, how we built it, and why. 
Learn how to get involved with a new community 
project, see what some of the DEF CON groups 
have been working on. Most importantly, learn 
how you can connect to the Darknet of Things. 


CHRIS ANDERSON 


Thanks to the plummeting cost of powerful 

motion sensors like those found in smartphones, 

the technology to create military-class autopilots 

is available to all. Over the past five years, the 

DIY Drones community has created a series of 

open source unmanned aerial vehicles (UAV), 

from fully-autonomous planes, helicopters, 
quadcopters, hexacopters, rovers and more, which 

cost just a few hundred dollars — less than 1% 

the cost of equivalent military drones. As a result 

there are now more than 10,000 of them in use 

— more than the US Military. As DIY drones go — 
mainstream, what are the practical applications 
that will emerge, and the legal, ethical and 
economic implications? How does open source 
change the regulatory aspects of drones? And 4 
will the rise of "personal drones" have a similar { 
social impact as “personal computers” did? 


ATLAS 


Wifi is cool and so is cellular, but the real fun 
stuff happens below the GHz line. Medical 
systems, mfg plant/industrial systems, cell 
phones, power systems, it’s all in there! 


atlas and some friends set out to turn pink 
girltech toys into power-systems-attack 
tools. Through several turns and changes, 
the ccllllusb project was born, specifically to 
make attacking these systems easier for all 
of you. With a $50 USB dongle, the world of 
ISM sub-GH is literally at your fingertips. 
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New and improved! If you missed it atisbmoocon, 
here's your.emaince to'see the intro to this fUA. 
new world. If you caught it atshmoo; come 

to the talk and prove youn < ghz prowess and 
wirelessly hack a special pink girl’s toy target! 


ADAM ‘EVILPACKET’ BALDWIN 


This talk will announce the release and 
demonstrate the xss.io toolkit. xSS:io0 is a platform 
to help ease cross-site scripting (xss) exploitation 
and specifically for this talk identification of blind 
xss vectors, Think drag,ànd drop exploits post xss 
vuln identification. For blind xss, xss.io is a callback 
and hook manager for intel collected by executed, 
and non-executed'butaccessed payloads. 


KEVIN BANKSTON 


MATT BLAZE 


JENNIFER GRANICK 


Prompted by the Google Street View WiFi sniffing 
scandal, the question of whether and how the law 
regulates interception of unencrypted wireless 
communications has become a hot topic in the 
courts, in the halls of the FCC, on Capitol Hill, 

and in the security community. Are open WiFi 
communications protected. by federal wiretap 
law, unprotected, or some strange mix of the two? 
(Surprise: it may be the last. one, so you'll want 

to come learn the line between what's probably 
illegal sniffing and what's probably not.) 


More importantly, what should the law be? 
Should the privacy of those who use WiFi 
without encryption be protected by law, or 
would regulating open WiFi sniffing pose too 
great a danger to security research and wireless 
innovation, not to mention DEF CON traditions 
like the Wall of Sheep? Join legal expert Kevin 
Bankston and technical expert Matt Blaze as they 
square off in a debate to answer these questions, 
moderated by Jennifer Granick. (Surprise: the 
lawyer is the one arguing for regulation.) 
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BITWEASIL 


Bitweasil goes through the latest developments 
in the Cryptohaze GPU based password cracking 
suite. WebTables is a new rainbow table 
technology that eliminates the need to download 
rainbow tables before using them, and the new 
Cryptohaze Multiforcer is an open source, GPLv2, 
network enabled platform for password cracking 
that is easy to extend with new algorithms for 
specific targets. The Cryptohaze Multiforcer 
supports CUDA, OpenCL, and CPU code (SSE, 
AVX, etc). All of this is aimed at either the 
pentester who can't spray hashes to the internet, 
orthe hacker who would rather not broadcast 
what she obtained to pastebin scrapers. 


RODRIGO RUBIRA BRANCO 
JAMES OAKLEY 
SERGEY BRATUS 


This presentation describes a new technique 

for abusing the DWARF exception handling 
architecture used by the GCC toalichain. This 
technique can be used to exploit vulnerabilities in 
programs compiled with or linked to exception- 
enabled parts. Exception handling information is 
stored in bytecode format, executed by a virtual 
machine during the course of exception unwinding 
and handling. We show how a malicious attacker 
could gain control of those structures and inject 
bytecode for malicious purposes. This virtual 
machine is actually Turing-complete, which means 
that it can be made to run arbitrary attacker logic. 


JOSH BRASHARS 


Payphones. Remember those? They uséd 

to be a cornerstorie of modern civilation, 
available at every street corner, gas station, or 
any general place of commerce. For decades, 
hackers and phone phreaks crowded around 
them as an altar to high technology and a 
means to “reach out and touchsomeone”. 


Fast forward to today, most people have mobile 
phones. Payphones installed decades earlier 
are now more of a memorial to a time long gone 
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by. Covered with grime and graffitti, forgotten, 
relegated to the realm of drug dealers and 
other undesirables. But they're still around; 
and they’re more vulnerable than ever. 


This talk will review modern hacking techniques 
applied to retro hardware. We'll cover owning t 
payphones and how they can be retrofitted with 
new technologies to turn them into the ultimate 
low profile hacking platform to compromise your 
organizations network. There will be demos of 
payphone hacking on stage, as well as using 

the payphone to intercept voice phone traffic. 


We'lLalso reveal a new tool to.automate the " * 


exploitation of payphones and relate how (like 
with all forms of archaelogoy) learning about old 


platforms can help us secure modern architecture. on 


JONATHAN BROSSARD 


This presentation will demonstrate that permanent ™ 
backdooring of hardware is practical. We have 
built a generic proof of concept malware for the 
intel architecture, Rakshasa, capable of infecting 
more than a hundred of different motherboards. 


The first net effect of Rakshasa is to disable NX bí 
permanently and remove SMM related fixes 

from the BIOS, resulting in permanent lowering p" 
of the security of the backdoored computer, NS 


even after complete earasing of hard disks and 
reinstallation of a new operating system. We ~ 
shall also demonstrate that preexisting work 

on MBR subvertions such as bootkiting and 
preboot authentication software bruteforce can 
be embedded in Rakshasa with little effort. More 
over, Rakshasa is built on top of free software, 
including the Coreboot project, meaning that 
most of its source code is already public. This 
presentation will take a deep dive into Coreboot 
and hardware components such as the BIOS, 
CMOS and PIC embedded on the motherboard, 
before detailing the inner workings of Rakshasa 
and demo its capabilities. It is hoped to raise 
awareness of the security community regarding . 

the dangers associated with non open source 

firmwares shipped with any computer and 

question their integrity. This shall also result in 

upgrading the best practices for forensics and post e 
intrusion analysis by including the afore mentioned 
firmwares as part of their scope of work. 
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DAVE BROWN 


: Electric Vehicles are an exciting area of developing 


technology entering the mainstream market. 
Every major manufacturer is working on new 


. hybrid.and electric vehicles but prices will be 


high and options few for years to come. 


As with many industries, a DIY approach 


x can yield similar results for much less cost, 


- while creating something truly unique. 


This talk will explore the possibilities and 
procedures involved in creating your own electric 
vehicle. Topics addressed will include the whys 
and hows, with an emphasis on the options 
available to tailor'your conversion to match 

your time, budget, and performance needs: 


FRANCIS BROWN 
ROB RAGAN 


All brand new tool additions to the Google 
Hacking Diggity Project— The Next Generation 
Search'Engine Hacking Arsenal. As alWays; 

all tools are free for download and use: 


When last we saw our heroes, the Diggity Duo had 
demonstrated how search engine hacking could 
be used to take over someone's Amazon cloud in 
less than 30 seconds, build out an attack profile of 
the Chinese government's external networks, and 
even download all of an organization's Internet 
facing documents and mine them for passwords 
and secrets. Google and Bing were forced to hugit 
out, as their services were’seamlessly combined to 
identify which of the most popular websites on the 
Internet were unwittingly being used as malware 
distribution platforms against their own end-users. 


Now, we've traveled through space and time; 
my friend, to rock this house again... 


True to form, the legendary duo have toiled night 
and day in the studio (a one room apartment 
with no air conditioning) to bring you an entirely 
new search engine hacking tool arsenal that's 
packed with so much tiger blood and awesame- 
sauce, that it's banned on 6 continents. Many 

of these new Diggity tools are also fueled by 

the power of the cloud'and provide you with 
vulnerability data faster and easier than ever 
thanks to the convenience of mobile applications. 


JEFF BRYNER 


Last year saw the release of Kinectasploit 

V1 linking the Kinect with Metasploit in a 3D, 
first person Shooter environment. What if we 
expanded Kinectasploit tõuse 20 security tools 
inhonor.of DEF CON’s 20th'anniversary?! 


ELIE BURSZTEIN 
PATRICK SAMY 


Fuzzing online games to find interesting bugs 
requires a unique set. of novel techniques. 


In a nutshell the lack of direct access to the 
game server and having to deal with clients 
that are far too complex to be easily emulated 
force us to rely on injecting fuzzing data into 

a legitimate connections rather than use the 
standard replay execution approach. Top 

that with heavily encrypted and complex 
network protocols and you start to se&why 
we had to become creative to succeed :) 


In this talk, we will discuss and illustrate the novels 
— techniques we had to develop to be able to fuzz 


online games, including how to successfully inject 
data into a gaming sessions and how to. instrument 
the game memory to know that,our fuzzing was 
Successful, We will also tell you how to find and 
reverse the interesting part of the protocol, and 
how to decide when to perform the injection. 


LINDA C. BUTLER 


Everyone from MIT to the DoD have agreed that 
teaching cyber security using cyber challenges, 
where groups of students attack’ or defend a live 
network, has próven to be an incredibly effective 
educational tactic. Unfortunately, current cyber 
challenge tools also suffer from being very hard 
to configure, and/or very expensive, and/or 
limited to certain audiences (e.g. the military), 
which makes them inaccessible to high schools, 
colleges, and smaller organizations. The Open 
Cyber Challenge Platform aims to help fix this by 
providing a free, open-source, cyber challenge 
software platform that is reasonable in terms of 
cost of required hardware and required technical 
installation/maintenance expertise, as well as 
easily extensible to allow the vast open source 
community to provide additional modules that 
reflect new challenges and scenarios. If you're 


interested in the future of cyber-security education, 
or simply just want to learn about a new potential 
training tool, come check out the OCCP. 


THOMAS CANNON 


This talk details a selection of techniques for 
getting the data out of an Android device in order 
to perform forensic analysis. It covers cracking 
lockscreen passwords, creating custom forensic 
ramdisks, bypassing bootloader protections 

and stealth real-time data acquisition. We'll 
even cover some crazy techniques — they may 
get you that crucial data when nothing else 

will work, or they may destroy the evidence! 


Forensic practitioners are well acquainted with 
push-button forensics software. They are an 5 
essential tool to keep on top of high case loads — 
plug in the device and it pulls out the data. Gaining 
access to that data is a constant challenge against 
sophisticated protection being built into modern 
smartphones. Combined with the diversity of 
firmware and hardware’on the Android platform it 
is not uncommon to require some manual methods 
and advanced tools to get the data you need. 


This talk will reveal some of the techniques forensic 
software uses behind the scenes, and will give 
some insight into what methods and processes 
blackhats and law enforcement have at their 
disposal to get at your data. Free and Open Source 
tools will be released along with this talk to help 
you experiment with the techniques discussed. 


JIMCHRISTY ANDY FRIED 
JON IADONISI DAVID MCCALLUM 
LEON CAROLL JUSTIN WYKES , 


RICH MARSHALL 


Did you ever wonder if the Feds were telling you're 
the truth when you asked a question? Join current 
and former federal agents from numerous agencies 
to discuss cyber investigations and answer your 
burning questions. Enjoy the opportunity to grill 
'em and get down to the bottom of things! 


Agencies that will have representatives 

include: Defense Cyber Crime Center (DC3), 
National White Collar Crime Center (NWC3), 

US Department of Treasury, Internal R evenue 
Service (IRS), and the US Navy SEALs. This year, 
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~ the “Meet the Feds” Panel. has gone Hollywood 


with special.guests — Mr. David McCallum 
and Mr. Leon Carroll from CBS's NCIS! 


JIM CHRISTY ROD BECKSTROM 
JERRY DIXON MISHEL KWON 
MARK WEATHERFORD RILEY REPKO 

DR. LINTON WELLS BOB LENTZ 


Did you ever wonder if the Feds were telling you're 
the truth when you asked a question? Join current 
and former federal agents from numerous agencies 
to discuss cyber investigations and answer your 
burning questions. Enjoy the opportunity to grill 
‘em and get down to the bottom of things! 


SANDY CLARK 
MATT BLAZE 


Last year, we discovered practical protocol 
weaknesses in P25, a "secure" two-way radio 
system used by, among others, the federal 
government to manage surveillance and other 
sensitive law enforcement and intelligence 
operations. Although some of the problems are 
quite serious (efficient jamming, cryptographic 
failures, vulnerability to active tracking of idle 
radios, etc), many of these vulnerabilities 
require an active attacker who is able and 
willing to risk transmitting. Sowe also examined 
passive attacks, where all the attacker needs 

to dois listen, exploiting usability and key 
management errors when they occur. And we 
built a multi-city networked P25 interception 
infrastructure to see how badly the P25 security 
protocols do in practice (spoiler: badly). 


This talk will describe the P25 protocols and how 
they failed, but will focus on the architecture 

and implementation of our interception network. 
We used off-the-shelf receivers with some 
custom software deployed around various US. 
cities, capturing virtually every sensitive, but 
unintentionally clear transmission (and associated 
metadata) sent by federal agents in those cities. 
And by systematically analyzing the captured 
data, we often found that the whole was much 
more revealing than the sum of the parts. Come 
learn how to set up your own listening-post. 
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CHRIS CONLEY 


Efforts at the federal level to pass laws like SOPA 
and CISPA and require that tech companies build 
backdoors into their services for law enforcement 
use have attacted widespread attention and 
criticism, and rightly so. But DC is far from the 
only place that officials are making decisions 
that impact the privacy and free speech rights of 
tech users. State and local officials are jumping 
into the fray as well, passing laws or creating 
policies that have immediate impact without 

the spotlight that accompanies federal action. 


In this talk, | will survey several areas where 
state and local officials have recently been 
active, including warrantless location tracking, 
searches of student and employee devices 

and online accounts, automated license plate 
recognition, and DNA collection. | will highlight 
some of the best and worst policies coming 
from state and local officials. Most of all, | hope 
to convince you that keeping an eye on — and 
even taking time to educate — your local sheriff 
or state legislature may be just as important as 


- protecting your freedoms at the national level. 


GREG CONTI 
LISA SHAY 


GREG CONTI 


From smart pajamas that monitor our sleep 
patterns to mandatory black boxes in cars to 

smart trash carts that divulge recycling violations 
in Cleveland, virtually every aspect of our lives 

is becoming instrumented and increasingly 
connected to law enforcement, government, and 
private entities. At the same time, these entities are 
incentivized to further collect, process, and punish 
in the name of financial advantage, public safety, or 
security. The trend of automated law enforcement 
is inescapable and touches every citizen. This 


„talk will explore the implications of automated 


law enforcement, study the incentives at play, 
Survey recent advances in sensing and surveillance 
technology, and will seek to answer the following 
questions and more. Were laws written with the 
idea of universal and perfect enforcement in mind? 


MICHAEL COPPOLA 


Routers are the blippy switchy boxes that make 
up the infrastructure of networks themselves, 
yet few administrators actually care to change 
the default login on these devices. Interestingly, 
nearly all consumer (SOHO) routers allow a user 
to reflash the device by uploading a (presumably 
vendor-provided) firmware image. By abusing 
this feature, it is possible for an attacker to craft 
his or her own malicious firmware image and 
execute arbitrary code on the device, granting 
full control over the OS, the network it manages, 
and all traffic passing through it. Additionally, 
interesting persistence and pivot opportunities 
are realized, allowing an attacker to maintain 
access or target internal hosts in a covert way. 


. Based on personal experience, we'll examine the 
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process of backdooring firmware images for SOHO 
routers from start to finish. A generalized technique 
to backdoor firmware images will be outlined, 

and a new framework to abstract and expedite 

the process will be publicly released. Working 
examples will be presented which demonstrate 
the ability to pop shells, hide connections, sniff 
traffic, and create a router botnet of doom. 


JOSHUA CORMAN 


DAN KAMINSKY 
JEFF MOSS 


ROD BECKSTROM 
MICHAEL JOSEPH GROSS 


There is a battle under way for control of the 
Internet. Some see it as a fight between forces 

of Order (who want to superimpose existing, 
pre-digital power structures and their notions 

of privacy, intellectual property, security, and 
sovereignty onto the Net) and forces of Disorder 
(who want to abandon those old structures and let 
the will of the crowd control a new global culture). 
Yet this binary view of the conflict excludes the 
characters with the best chance of resolving it: 
those who know.that control is impossible and 
chaos is untenable, a group that Vanity Fair, in an 


article called "World War 3.0,” called "the forces 


of Organized Chaos" This panel gathers leading 


proponents of that worldview to discussurgent 
issues of Internet governance, which may come 
to a head later this year in a Dubai meeting of the 
U.N’s International Telecommunications Union. If 
government control and anarchistic chaos online 
are unacceptable, what exactly do the forces 

of organized chaos propose as an alternative? 
And what is the DEF CON community's role 

in helping to realize that vision of the Net? 


ANGCUI 


We present FRAK, the firmware reverse analysis 
konsole. FRAK is a framework for unpacking, 
analyzing, modifying and repacking the firmware 
images of proprietary embedded devices. The 
FRAK framework provides a programmatic 
environment for the analysis of arbitrary embedded 
device firmware as well as an interactive 
environment for the disassembly, manipulation 
and re-assembly of such binary images. 


We demonstrate the automated analysis of 

Cisco IOS, Cisco IP phone and HP LaserJet printer 
firmware images. We show how FRAK can integrate 
with existing vulnerability analysis tools to 
automate bug hunting for embedded devices. We 
also demonstrate how FRAK can be used to inject 
experimental host-based defenses into proprietary 
devices like Cisco routers and HP printers. 


CUTAWAY 


. When you look at a Smart Meter, it practically 


winks at you. Their Optical Port calls to you. It 

calls to criminals as well. But how do criminals 
interact with it? We will show you how they look 
into the eye of the meter. More specifically, this 
presentation will show how criminals gather 
information from meters to do their dirty work. 
From quick memory acquisition techniques to more 
complex hardware bus sniffing, the techniques 
outlined in this presentation will show how 
authentication credentials are acquired. Finally, a 
method for interacting with a meter’s IR port will be 
introduced to show that vendor specific software 

is not necessary to poke a meter in the eye. 


This IS the-talk that was not presented at 
ShmooCon 2012 inresporise to.requests from 
a Smart Grid vendor and the concerns of 
sevefal utilities. We have worked with them: 
They should be okay with this.....should..... 


ZACHARY CUTLIP 


Three easy steps to world domination: 


Pwn a bunch of SOHO routers. 
eer 
Profit 


| can help you with Step 1. In this talk, I'll describe 
several O-day vulnerabilities in Netgear wireless 
routers. I’ll show you how to exploit an unexposed 
buffer overflow using nothing but a SOL injection 
and your bare hands. Additionally, I'll show how 
to use the same SOL injection to extract arbitrary 
files from the file systems of the wifi routers. This 
presentation guides the audience through the 
vulnerability discovery and exploitation process, 
concluding with a live demonstration. In the 
course of describing several vulnerabilities, | 
present effective investigation and exploitation 
techniques of interest to anyone analyzing 

SOHO routers and other embedded devices. 


JEFF MOSS 


JERICHO 
RUSS ROGERS 


DEF CON is proud to announce the 2nd annual DEF 
CON awards ceremony, renamed the DC Recognize 
Awards. These awards are given to deserving 
individuals in the community, industry, and media. 


You voted, so come see who made the cut. 


CHRISTIAN ‘QUADDI’ DAMEFF 
JEFF'R3PLICANT' TULLY 


You've played Deus Ex. You've seen Robocop. 
You've read Neuromancer. You've maybe even 
wondered just what dark mix of technology 
and black magic keeps the withered heart 

of Richard "Dick" Cheney pumping coronary 
after coronary. Now it's time to get off the 
couch and put down the controller. Human 
augmentation is no longer constrained to the 


world of speculative fiction and vice-presidential 
medicine; biomechanical interfaces are an 
exploding area of active research, development, 
and implementation. And they're here to stay. 


Join medical student/hacker enthusiasts quaddi 
and r3plicant for a fun-filled tour through the 
brave new world of the latest and greatest in this 
exciting new melding of medicine and technology. 
From the simplest insulin pump to the latest 
gyroscopic prosthesis for wounded veterans, 
from the full body DARPA developed exoskeleton 
of the future to the changes currently being 
implemented in our most fundamental building 
blocks, this talk explores what was, what is and 
what will be in the future of human augmentation, 
and more importantly, what you need to know 

to get started down the path to Robocop glory. 


BLAKDAYZ 


ANARCHY ANGEL, ANCH, DAVE MARCUS, 
NICK FARR 

As hackers, we have access to tremendous 
informational power. At our individual 
hackerspaces and DCGs we build communities 
of like minded hackers that push the 

limits of technology. But have we gone 

far enough in building a global hacking 
community that celebrates diversity and 
unleashes world-changing genius? 


We.can accelerate the opportunity for community 
and change through technology. Take a seat and 
hear what resources are available to the groups 
and hackspaces in your area. By connecting 

our chaos, we can transcend the isolation 

and polarization that dominates much of our 
communities. We can unite and empower. Join 
the discussion and chaos so we can evolve 

the way our community will be connected. 


How do you change the world? One connected 
hacker, hackerspace and DCG at a time. 


DARKRED 


Frequently people consider a serial number as 
nothing but a number but in this presentation 
you will be shown the multitude of ways in which 
an attacker could utilize serial numbers to hurt 
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you,to hurt companies. as well as to track your 


| movements. A brief primer on the function and use 


of serial numbers in the real world will be provided. 
Focusing on Apple, Amazon and Pringles and 
providing in-depth insight into the varying degrees 
of trust a serial number will gain you. Attack vectors 
ranging from Apple to Pringles and everywhere in 
between along with points about how to prevent 
similar tragedies from occurring with your product. 


ROBERT DEATON 
Eg 


Analyzing live network traffic is nothing new but the © 
tools still seem limited. Wireshark is great for post E 
capture analysis but when the packets are coming 

at you live, nothing currently gives your stream or 
session level visibility. How many times have you 
clicked ‘Follow this stream’ just to have that stream 
update and you have to reprocess the entire PCAP? 
That's great when it's just your machine but when 
you're monitoring a network, it limits your view and 

is a pain. As more traffic adds, this problem grows 
and makes life for your little netbook quite painful. 
Enter DivaShark — your live packet capture solution. 


CORY DOCTOROW 


Assuming the failure of all the calls to regulate 
PCs and the Internet because people might 

do bad things with them, what then? Civil war, 
that's what. The su/user split we inherited from 
multiuser systems has given us a false intuition: 
that owners of computers, and not their users, 
should set policy on them. How will that play 
out when your car, house, legs, ears and heart 
are driven by computers that you don't own? 


NADEEM DOUBA 


Have you ever wished for the power of Maltego 
when performing internal assessments? Ever 
hoped to map the internal network within 
seconds? Or that Maltego had a tad more 
aggression? Sploitego is the answer. In the 
presentation we'll show how we've carefully 
crafted several local transforms that gives Maltego 
the ooomph to operate nicely within internal 
networks. Can you say Metasploit integration? 
ARP spoofing? Passive fingerprinting? SNMP 
hunting? This all is Sploitego. But wait — there's 


more. Along the;way'we'll show you how to use 
our awesome Python framework that makes 
writing local transforms as easy as ‘Hello World’. 


MATTHEW DUGGAN 


The security of US dollar notes is paramount for 
maintaining their value and safeguarding the US 
and dependent economies. Counterfeiting has 
historically been a crime of high sophistication, but 
has the prevalence of affordable color scanning 
and printing equipment changed that? This 

talk analyzes the security features of US dollars 

to determine the minimum sized organization 

that could successfully execute an attack. 


EGYPT 


As many in this;community have echoed, 

shell is just the Beginning. Owning a box is 

all well and good, but where do you go from 
there? Everyone has their own secret sauce 

for furthering their access after gaining a 
foothold. This talk will focus on the techniques, 
from simple to advanced, available for post 
exploitation using the Metasploit Framework. 


ESDEN, DOTAERO, MISTERJ, CIFO 


This presentation introduces the Paparazzi 
framework, an Open-Source (GPL3 and OSHW 
CC-by-SA) software and hardware robotics 
platform focused on Unmanned Aerial Systems 
(UASes). Paparazzi's power and flexibility 
enable rapid development and robust control of 
diverse vehicle types — from fixed-wing airplanes 
to multicopters and transitioning aircraft — 

while its open nature permit customization 

and integration with other systems. 


We showsthe capabilities of the platform and 
some achievements from all around the world 
with this platform. We also will show Wwhatwe 
are working on and introduce it to the public. 


What will you do with that powerful tool? 


The Paparazzi autopilots, a multicopter, 
and the Quadshot — a VTOL, multirotor, 
transitioning flying wing — are presented. 


AMIR ‘ZENOFEX’ ETEMADIEH 
CJ HERES 

DAN ROSENBERG 

TOM ‘TDWENG’ DWENGER 


This presentation will focus on the current 
GoogleTV devices, including X86 platform details, 
and the exhaustive security measures used by 
each device. The presentation will also include 
video demonstrations of previously found bugs 
and exploits for each GoogleTV device and 
includes specific details about how each bug 
works. Furthermore, we will include interesting 
experiences that the team has encountered along 
the way. Finally the talk will be capped off with 
the release of multiple unpublished GoogleTV 
exploits which will allow unsigned kernels across 
all x86 devices (Revue / Sony GoogleTV). 


ZACK FASEL 


Their systems were fully patched, their 
security team watching, and the amateur 
pentesters just delivered their "compliant" 
report. They thought their Windows domain 
was secure. They thought wrong. 


Zack Fasel (played by none other than Angelina 
Jolie) brings a New Tool along with New methods 
to obtain Windows Integrated Authentication 
network requests and perform NTLM relaying both 
internally and externally. The Goal? Start off as a 
nobody and get domain admin (or sensitive data/ 
access) in 60 seconds or less on a fully patched 
and typically secured windows environment. 

The Grand Finale? Zack demonstrates the 

ability to *externally* gain access to a Windows 
domain user's exchange account simply by. 
sending them an email along with tips on how 

to prevent yourself from these attacks. 
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In jUst one click of a link, one view of an email, or 
one wrong web request, this new toolset steals 
the identity of targeted users and leverages 
their access. Call your domain admins, hide 
your road warriors, and warn your internal 

users. Zack will change the way you think about 
Windows Active Directory Security and trust 
relationships driving you to further harden 

your systems and help you sleep at night. 


Owned in 60 Seconds. Coming This Summer. 


JOHN FLOREN 


Android is the only widespread open-source 
phone environment available today, but actually 
hacking on it can be an exercise in frustration, with 
over 14 million lines of code (not counting the 
Linux kernel!), build times in the hours, and the 
choice of writing Java or C++/JNI. Add in security 
debacles like the CarrierlQ affair or the alleged 
man-in-the-middle attacks at the last DEF CON 
and Android starts to seem less attractive. 


We wanted a phone that's easy to hack on, 

with a quick development turnaround time. By 
killing off the Java layer of Android and only 
loading the underlying Linux systempwWe found 

a useful, relatively light-weight platform for 
further development. We then adapted the 
Inferno operating system to run on our phones, 
eventually getting a graphical phone environment 
in under 1 million lines of code, including a phone 
application, an SMS app, several text editors, a 
shell, a compiler, a web browser, a mail client, 
and even some games. The actual core of the 
Inferno OS is small and simple enough for one 
person to read, understand, audit, and hack on; 
applications are similarly simple and easy to write. 


t 


This talk discusses in greater depth our motivations 
and.the methods we used to adapt Android 
phones to new and excitingly broken purposes. 

If the Demo Gods are kind, there will also be a 
demonstration of the Inferno phone environment. 


FX 
GREG 


[Redacted] routers are no longer devices only 
seen in [Redacted]. Entire countries run their 
Internet infrastructure exclusively on these 
products and established tier 1ISPs make 
increasing use of them. However, very little is 
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known of [Redacted]'s Software Platform and 

its security. This presentation will introduce the 
architecture, special properties of configurations 
and services as well as how to reverse engineer 

the OS. Obviously, this is done only to ensure 
compatibility with router products of other vendors 
;) Routers might be still hurt in the process. 


SVETLANA GAIVORONSKI 
DENNIS GAMAYUNOV 


One of the most effective techniques used in 
CTF is the usage of various exploits, written 
with the help of well-known tools or even 
manually during the game. Experience in CTF 
participation shows that the mechanism for 
detecting such exploits is able to significantly 
increase the defense level of the team. 


In this presentation we propose an approach 

and hybrid shellcode detection method, aimed Z 
at early detection and filtering of Unknown O-day 
exploits at the network level. The proposed 
approach allows us to summarize capabilities 

of shellcode detection algorithms developed 

Over recent ten years into optimal classifiers. 

The proposed approach allows us to reduce the 
total fp rate almost to O, provides full coverage of 
shellcode classes detected by individual classifiers 
and significantly increases total throughput of 
detectors. Evaluation with shellcode datasets, 
including Metasploit Framework 4.3 plain-text, 
encrypted and obfuscated shellcodes, benign 
Win32 and Linux ELF executables, random data 
and multimedia shows that hybrid data-flow 
classifier significantly boosts analysis throughput 
for benign data — up to 45 times faster than 

linear combination of classifiers, and almost 

1.5 times faster for shellcode only datasets. 


NICK GALBREATH 


SQLi remains a popular sport in the security 
arms-race. However, after analysis of hundreds 

of thousands of real world SQLi attacks, output 
from SQLi scanners, published reports, analysis 

of WAF source code, and database vendor 
documentation, both SQLi attackers and defenders 
have missed a few opportunities. This talk will 
iterate through the dark corners of SQL for Use 

in new obfuscated attacks, and show why they 


are problematic for regular-expression based b 
WAFSs. This will point the way for new directions 
in SQLi research for both offense and defense 


MARTIN GALLO 


This talk is about taking SAP penetration testing 
out of the shadows and shedding some light into 
SAP Diag, by introducing a novel way to uncover 
vulnerabilities in SAP software through a set of 
tools thatallows analysis and manipulation of 
the SAP Diag protocol. In addition, we will show 
how these tools and the knowledge acquired 
while researching the protocol can be used for 
vulnerability research, fuzzing and practical 
exploitation of novel attack vectors involving 
both SAP's client and server applications: 
man-in-the-middle attacks, RFC calls injection; 
rogue SAP servers deployment, SAP GUI client- 
side attacks and more. As a final note, this 
presentation will also show how to harden your 
SAP installations and mitigate these threats. 


ANDREW GAVIN 
MICHAEL BAUCOM 
CHARLES SMITH 


OpenDLP is a free and open source agent- 
based data discovery tookthat works against 
Microsoft Windows systems using appropriate 
authentication credentials. However, one drawback 
to OpenDLP is that its policy-driven approach 
makes it arduous to scan disjointed systems 
that are not part of a Windows domain or do 
not share the same authentication credentials. 
To fix this, OpenDLP can now launch its agents 
over Meterpreter sessions using Metasploit 
RPC without requiring domain credentials. 


KENNETH GEERS 


The establishment of US Cyber Command in 
2010 confirmed that cyberspace is a new domain 
of warfare. Computers are now both a weapon 
anda target. Future wars may even be fought 
over the ownership of IT infrastructure. Therefore, 
national security thinkers must find a way to 
incorporate cyber attack and defense into military 
doctrine as soon as possible. The world's most 
influential military treatise is Sun Tzu's Art of 
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War. Its wisdom has’Sénvived myriad revolutions 
in technology and human conflict, and future 
cyber commanders will find Sun Tzu’s guidance 
beneficial. However, this presentation will also 
consider 10 revolutionary aspects of cyber war 
that will be difficult to fit into military doctrine. 


SERGEY GORDEYCHIK 


. DENIS BARANOV 


SERGEY GORDEYCHIK 


Moderncivilization unconditionally depends on 
information systems. It is paradoxical but true that 
SCADA systems are the most insecure systems in 


. the world. From network to application, SCADA 


is full of configuration issues and vulnerabilities. 
During our report, we will demonstrate 


. how to obtain full access to a plant via: 


—asniffer and a packet generator 
— FTP and Telnet 

— Metasploit and oslq 

— a webserver and a browser 


About 20 new vulnerabilities in common 
SCADA systems including Simatic 
WinCC will be revealed in the report 


Releases: 

— modbuspatrol (mbpatrol) — free tool 
to discover and fingerprint PLC 

— Simatic WinCC security checklist 

— close to real-life exploit scenario for 
a Simatic WinCC based plant. 


JOE GRAND 
zoz 


For 18 months, Joe Grand and Zoz Brooks were 
co-hosts of Discovery Channel's Prototype 
This, an engineering entertainment program 
that followed the real-life design process 

of a unique prototype every episode. 


At DEF CON 17, Joe and Zoz talked about the show 
and a few of their favorite builds. The dynamic 
nerd duo returns to DEF CON 20 with design 
details and never-before-seen pictures and 


videos of even more ridiculous and crazy projects, 
inclbding,.the Mind Controlled Car, Boxing Robots, 
Six-Legged All Terrain Vehicle, Get Up and Go, 
and, AUtomated Pizza Delivery, each of which had 
to be designed and built in a matter of weeks. 


DAN GRIFFIN 


There's been a lot buzz about UEFI Secure 
Booting, and the ability of hardware and 
software manufacturers to lock out third-party 
loaders (and rootkits). Even the NSA has been 
advocating the adoption of measured boot 

and hardware-based integrity checks. But what 
does this trend mean to the open source and 
hacker communities? In this talk I'll demonstrate 
measured boot in action. I'll also be releasing my 
new Measured Boot Tool which allows you to 
view Trusted Platform Module (TPM) boot data 
and identify risks such as unsigned early-boot 
drivers. And, I'll demonstrate how measured 
boot is used for remote device authentication. 


Finally, I'll discuss weaknesses in the system 
(hint: bootstrapping trust is still hard), what 
this technology means to the consumerization 
trend in IT, and what software and services gaps 
exist in this space for aspiring entrepreneurs. 


PETER HANNAY 


Smart phones and other portable devices are 
increasingly used with Microsoft Exchange to 
allow people to check their corporate emails or 
sync their calendars remotely. Exchange has an 
interesting relationship with its mobile clients. 

It demands a certain level of control over the 
devices, enforcing policy such as password 
complexity, screen timeouts, remote lock out and 
remote wipe functionality. This behavior is usually 
accepted by the user via a prompt when they first 
connect to Exchange. However, the protocol for 
updating these policies provides very little in the 
way of security and is quickly accepted by the 
device, often with no user interaction required. 


In this talk we will focus on the remote wipe 
functionality and how a potential attacker could 
abuse this functionality to remotely wipe devices 
that are connected to Exchange. By impersonating 
an Exchange server and sending appropriate policy 
updates through a simple script we are able to 
erase all data on devices remotely without any 


need for authentication. The presentation will 
explain how this can be accomplished and show 
proof of concept code for Android & iOS devices. 


SHAWN HENRY 


The threat to our networks is increasing at an 
unprecedented rate. The hostile environment 
we operate in has rendered traditional 
security strategies obsolete. Adversary 
advances require changes in the way we 
operate, and "offense" changes the game. 


DUSTIN HOFFMAN 


SEMON REZCHIKOV 


Private aircraft provide transportation to interesting 
people: corporate officers, business owners, 
celebrities, high net-worth individuals, etc. 


In recent years, sites like FlightAware have 
made it trivial to access all public flight 
plans. However, aircraft owners can opt into 
a block list (the BARR) that prevents their 
flight information from being made public. 
All the interesting people are on the BARR. 


| 
We'll explain the basics of how the the ATC system "M 
and sites like FlightAware work, demonstrate 
a serious, unpatchable method for tracking 
otherwise "untrackable", BARRed aircraft, and 
demo our site that lets you do the same. 


MARCIA HOFMANN 


Can the government force you to turn over 
your encryption passphrase or decrypt your 
data The law surrounding police attempts to 
force decryption is developing at breakneck 
speed, with two major court decisions this year 
alone. This talk will start off with an in-depth 
explanation of the Fifth Amendment privilege 


"m | 


Y against self-incrimination, its origins, ànd how 


it applies to.government attempts to force 
disclosure of keys or decrypted versions of data 
in the United States. We'll also discuss law 
enforcement authority to demand passphrases 
and decryption of data stored with third parties, 
and survey key disclosure laws in other countries. 


RYAN HOLEMAN 


Recognizing a need to support passive bluetooth 
monitoring in Scapy, Python’s interactive 
monitoring framework, a project was launched 

to produce this functionality. Through this 
functionality, a new means for interactively 
observing bluetooth was created along with Python 
APIs to assist in the development of bluetooth 
auditing, pentesting and exploitation tools. 


The project supplements the work of Michael 
Ossman et al by providing Python extensions 
and Scapy modules which interact with an 
Ubertooth dongle. The project also provides 
support for other passive bluetooth techniques 
not present in the current Ubertooth core 
software such as NAP identification, vendor 
lookup, extended logging and more. 


In conjunction with this presentation, the source 
for this project will be released along with 
distribution packages for easy installation 


KEVIN HOUK, AGE 17 
JAKE ROBIE, AGE 18 
MATT BRENNER, AGE 18 


As the world grows more reliant upon digital 
technology, cyber-attacks are posing a more 
significant threat to our nation's security. In recent 
years, the United States has been falling behind 

in cyber-related fields. In 2009, the Air Force 
Association created CyberPatriot, the premiere 
national high school cyber defense competition, 
to inspire high school students toward careers in 
Cyber security. In the most recent competition, 
CyberPatriot IV, 1200 teams competed and were 
pared down to twelve finalists. Our team from The 
Marshall Academy placed seventh. Considering 
the 1200 teams, approximately 7,200, or just about 
.04%, of high school students participated in 

this year's CyberPatriot IV. Our goal is to promote 
Cyber Security at the high school level, in order to 
better educate future generations in the field. By 
encouraging greater involvement of both private 


/ 


and public sector organizations, we can bring 
cyber security to the forefromaywherett belongs, 
Currently, CyberPatriot is sponsored by only a few 
companies, such as Northrop Grumman, Boeing 
and Microsoft. We believe that by investing in 
scholarships and grants for cyber security related 
college degrees, companies can develop the 
cyber community of tomorrow, and as a result 

be able to better manage future cyber threats. 


ALBERTO GARCIA ILLERA 


The presentation is about a real black hacking 
act against the transport network of a country. 
It can be extrapolated to any other country. We 
will show how to get full access to the entire 
transport network. Manipulating parameters 
to get free tickets, getting control of the ticket 
machines, getting clients CC dumps, hooking 
internal processes to get the client info, 
pivoting between machines, encapsulating all 
the traffic to bypass the firewalls, etcetera. 


We will show a lot of photos, videos, source code 
and presentations of the real environment and 
the skills used to obtain all the information. We 
will show how combining social engineering and 
technical skills can be used as a deadly weapon. 


JAMEEL JAFFER 
WILLIAM BINNEY 
JAMES BAMFORD 
ALEX ABDO 


The National Security Agency, the largest, most 
powerful spy agency in the world, has taken in 
an estimated 15 to 20 trillion communications 
since 9/11, often in defiance of the Constitution 
and Congressional statutes. The NSA's goal, 
some say, is to collect virtually all of our 
electronic communications to allow mass data 
mining reminiscent of the notorious and now 
reportedly-defunct program, Total Information 
Awareness. The limits on the agency's authority 
to sweep up and analyze this information are 
critical to our safety and our privacy. The. NSA 

is investing vast amounts in increasing its data 
storage, code-breaking and analysis capabilities, 
frequently claiming the investments are for 
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foreign intelligence or “cybersecurity” purposes. 
However, instead of keeping its equipment trained 
On terrorism Suspects or foreign govermments, 

the NSA is increasingly, monitoring the 
communications of innocent people. Longtime 
NSA official and whistleblower Bill Binney will 

join investigative journalist and NSA expert 

James Bamford and ACLU lawyer Alex Abdo to 
explore the NSA's goals, reach, and capabilities, 
and the legality (or illegality) of its actions. 


The panel will be moderated by the Deputy 
Director of the ACLU, Jameel Jaffer. 


DAN KAMINSKY 


If there's one thing we know, it's that we're doing 

it wrong. Sacred cows make the best hamburgers, 
soin this year's talk l'm going to play with some 
techniques that are obviously wrong and evil and 
naive. There will also be a lot of very interesting 
code, spanning the range from high speed network 
stacks to random number engines to a much 
deeper analysis of non-neutral networks. Finally, 
we will revisit DNSSEC, both in code, and in what it 


can mean to change the battleground in your favor. » 
q 


DAVE KENNEDY 


. DAVE DESIMONE 


As penetration testers, we often try to impact 
an organization as efficient and effective as we 
can to simulate an attack on an organization. 
What if you could own one system to own them 
all? That’s it, one system. It’s all you need, it’s in 
every company, and as soon as you compromise 
it, the rest fall (no not a domain controller). This 
presentation will cover a recent penetration test 
where | came up with a unique avenue to getting 


over 13,000 shells in just a few minutes by popping 


one server. I'll be releasing some custom tools to 
make this simplistic and automate the majority 
of what was used on this attack. Let's pop a box. 


ANDREW KING 


This talk will focus on detecting reflective injection 
with some mildly humorous notes and bypassing 
said protections until vendors start actually 
working on:this.problem. It seems amazing that 
reflective injection still works»Why.is that? Because 
programmers are lazy. They don't want to write 
new engines, they want to write definitions for an 
engine that already exists. So what do we do about 
it? Release a $5 tool that does what.$50 AV has 


failed epically at for Several years now.,.oAeaind it 


took me a week or so...Alternately, you could license 


it to vendors since their programmers are lazy. 


JAMES KIRK 


With an ever changing threat of nation states 
targeting the United States and its infrastructure 
and insiders stealing information for public release, 
we must continuously evaluate the procedural 

and technical controls we place on our national 
assets. This presentation goes into brief detail on 
how security controls are developed, reviewed, and 
enforced at a national level for protection of data 
classified up to Top Secret and some of the major 
flaws in the security approach to data privacy. 


XENO KOVAH 
COREY KALLENBERG 


Hooking is the act of redirecting program control 
flow somewhere other than it would go by 
default. For instance code can be "inlined hooked" 
by rewriting instructions to unconditionally 
transfer to other code. Or code can be hooked 

by manipulating control flow data like function 
pointers (IAT, IDT, SSDT, return addresses on 

the stack, callback addresses in dynamically 
allocated objects, etc). Hooking as a technique is 
neutral, but it is often used by malicious software 
to monitor or hide information on a system. 


XENO KOVAH 
COREY KALLENBERG 


Hooking is the act of redirecting program control 
flow somewhere other than it would go by 
default. For instance code can be "inlined hooked" 
by rewriting instructions to unconditionally 
transfer to other code. Or code can be hooked 

by manipulating control flow data like function 
pointers (IAT, IDT, SSDT, return addresses on 

the stack, callback addresses in dynamically 
allocated objects, etc). Hooking as a technique is 
neutral, but it is often used by malicious software 
to monitor or hide information on a system. 


Memory integrity verification requires the ability 
to detect unexpected hooks which could be 
causing software to lie or be blinded to the true 
state of the system. But we don't want to make 
the same mistake that most security software 
makes, assuming that they can rely on some built 
in access control to keep malice at arms length. 
The history of exploits is the history of bypassing 
access control. We want to have a technique which 
can detect if we ourselves are being manipulated 
to lie even when the attacker is assumed to be at 
the same high privilege level as our software. 


We believe that such a goal can be achieved 
with the help of an academic technique known 
as software-based, or timing-based, remote 
attestation. This is a technique which does 

not require a hardware root of trust like a TPM 
in order to bootstrap an ephemeral dynamic 
root of trust for measurement. It does this by 
computing a randomized checksum over its 
own memory and other system state, to detect 
code or control flow integrity attacks. The 
self-checking software can still be forced to lie 
and report an unmodified system, but thanks 
to a special looping construction, code which 
causes it to lie will require extra instructions per 
loop. The extra instructions will be multiplied 
by the number of loops, causing a macroscopic, 
remotely-detectable, increase in the runtime vs. 
what's expected. So basically, an attacker can 
force our software to lie, but because there's a 
timing side-channel- built into the computation, 
he can still be.caught by taking too long to 
generate a convincing lie. We have independently 
implemented and confirmed the claims of past 
work, and furthermore showed that the timing 
discrepancy in the presence of a checksum-forging 
attacker is detectable not just for machines on 
the same ethernet segment, but over 10 links of 
our production EAN. Because of the results of 


other work in timing side-channel detection over 
internet-scale distances, we think this technique 
can be extended even further. But for now for 
longer distances, we use this same timing-based 
technique in concert with TPM as a trustworthy 
timer, so that network jitter is not an issue. 


ANTHONY 'DARKFLOYD' LAI 


TONY ‘MT’ MIU 
KELVIN ‘CAPTAIN’ WONG 
ALAN ‘AVENIR’ CHUNG 


Enterprises currently dump millions of bucks to 
defense against DDOS, some trading firms here 
are paying for fear to the DDoS attack from China 
about 5K to 100K USD per day and InfoSec teams 
believe their solutions are perfect already. 


Are those controls effective and unbreakable? 

In the first part of the presentation, we would 

like to show our studies and carry out over 10 
types of DDoS test against various big firms and 
organizations to see whether their defense is 
effective, showing how stupid and smart they are. 
Various interesting case studies will be briefed :) 


In the second part of the presentation, we 
will detail our proposed defense model to 
against Application-Level attacks. We have 
already checked with other vendors and 
researchers about our model, it is still not 
yet deployed and hopefully we could put this 
as an open source project in the future.) 


EDDIE LEE 


Until now, getting into NFC/RFID hacking required 
enthusiasts to buy special hardware and learn 
about the underlying transfer protocols. No longer! 
NFCProxy is a new tool (being released at DEF CON 
20) that allows you to proxy RFID transactions 
using Android phones. NFCProxy can record and 
replay RFID transactions from the perspective of 
the tag or the PCD (proximity coupling device). 
NFCProxy is an open source tool/framework that 
can be used to analyze 13.56? MHz RFID protocols 
and launch replay (and potentially man in the 
middle) attacks. You can even use NFCProxy as 

a virtual wallet by storing previously scanned 

RFID enabled credit cards and replaying them 
later at a POS (point of sale) terminal. No fancy 
equipment needed...just two NFC capable Android 
phones running ICS (one with a custom rom). 
Owning RFID enabled credit cards just got easier! 
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KATY LEVINSON 


By popular demand, DEF CON’s angry little 
roboticist is back with more stories of robot 
designs gone awry that make practical lessons 
on making better robots. Drinking will happen: 
vodka-absconding scoundrels are not invited. 


This talk will cover material assuming the average 
audience member is a relatively intelligent coder 
with a high-school physics/math background 

and has seen linear algebra/calculus before. The 
intent is to navigate people new to robotics around 
many lessons my teams and | learned the “hard 
way,” and to introduce enough vocabulary for a 
self-teaching student to bridge the gap between 
amateur and novice professional robotics. It will 
not cover why your Arduino doesn’t work when 
you plugged your USB tx into your RS232 tx. 


AMBER LYON 
GABRIELLA COLEMAN 


MARCIA HOFMANN 
MERCEDES HAEFER 
JAY LEIDERMAN 
GRAINNE O'NEILL 


How the media mischaracterizes, & portrays 
hackers. IRL protest VS. online protest. 
Politically motivated prosecution. COINTELPRO. 
The future of hacking and what law 
enforcement agencies plan to do about it. 


TIM MALETIC 


CHRISTOPHER POGUE 


Training utilizing Opposing Forces, or OPFOR, 
is an exercise focused on improving detection 
and response through the principle of "train as 
you fight.” We will demonstrate how we have 
applied OPFOR to build a continuous feedback 
loop between penetration testing and incident 


9W response. In OPFOR™Ever, the defense trains the 
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offense just as much as theofense trains the 
defense, and the exercise has no end date. Come 
see us demonstrate some attacks as.seen from 
the point of view of the defender as well as the 
attacker. You can then watch the replay as we 
use OPFOR principles to evolve these attacks to 
a form more suitable for real-world penetration 
testing, pentesting that strives to better simulate 
what blackhats actually do. This of course raises 
the bar for incident responders. Evolve or die. 


DAVID ‘THELIGHTCOSINE’ MALONEY 


No part of the Metasploit Framework has been 
shrouded in more mystery and confusion than 
the Railgun extension. Railgun is one of the 
most powerful tools in the Metasploit arsenal 
when it comes to Post Exploitation. In this talk 
we will examine what Railgun is, and how we 
can use it to turn Windows completely against 
itself by weaponizing the Windows API libraries. 
We will demystify Railgun by explaining exactly 
how it works under the covers and how you 

can use it to create powerful post modules. 


MOXIE MARLINSPIKE 
DAVID HULTON 
MARSHRAY 


MS-CHAPvz2 is an authentication and key 
negotiation protocol that, while old and battered, 
is still unfortunately deployed quite widely. It 
underpins almost all PPTP VPN services, and is 
relied upon by many WPA2 Enterprise wireless 
deployments. We will release tools that definitively 
break the protocol, allowing anyone to affordably 
decrypt any PPTP VPN traffic or CHAPv2-based 
WPA2 handshake with a 100% success rate. 


CHARLIE MILLER 


Near Field Communication (NFC) has been used 
in mobile devices in some countries fora while and 
is now emerging on devices in use in the United 
States. This technology allows NFC enabled 
devices to communicate with each other within 
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close range, typically a few centimeters. It is being 
rolled out as a way to make payments, by using 
the mobile dévice to communicate crèdit card 
information to an NFC enabled terminal. It is a new, 
cool, technology. But as with the introduction of 
any new technology, the question must be asked 
what kind of impact the inclusion of this new 
functionality has on the attack surface of mobile 
devices. In this paper, we explore this question 

by introducing NFC and its associated protocols. 
Next we describe how to fuzz the NFC protocol 
stack for two devices as well as our results. Then 
we see for these devices what software is built on 
top of the NFC stack. It turns out that through NFC, 
using technologies like Android Beam or NDEF 
content sharing, one can make some phones parse 
images, videos, contacts, office documents, even 
open up web pages in the browser, all without user 
interaction. In some cases, it is even possible to 
completely take over control of the phone via NFC, 
including stealing photos, contacts, even sending 
text messages and making phone calls. So next 
time you present your phone to pay for your cab, 
be aware you might have just gotten owned. 


ALEXANDER MINOZHENKO 


This talk will discuss some ways to gain control 
over the virtual infrastructure through vCenter’s 
services. | will describe a few non-dangerous 
bugs (they were O-days when we found 

them), but if we can use all of them together, 


. we will get administrative access to vCenter 


which means to the whole virtual network. 


DAVID MORTMAN 
RICH MOGULL 
CHRIS HOFF 
DAVE MAYNOR 
LARRY PESCE 
JAMES ARLEN 


You know you can’t stay away! The most talked 
about panel at DEF CON! Nearly two hours 

of non-stop FAIL. Come hear some of the 
loudest mouths in the industry talk about the 
epic security failures of the last year. So much 
fail, you'll need the food cooked on stage to 
survive. Nothing is sacred not even each other. 
This years fail includes cloud, mobile and apt 


to name just a few topics. If that's not endugh; 
we'll also be making crepes on stage. Over the 
last two years, we've raised over $1,500 for the 
EFF, let's see how much we can do this year... 


RAPHAEL MUDGE 


Meet Cortana, a new scripting language to 
automate Metasploit and extend Armitage. 


- Cortanais a penetration tester's scripting 


language inspired by scriptable IRC clients and 
bots. Its purpose is two-fold. You may create 
long running bots that simulate virtual red team 
members, hacking side-by-side with you. You 
may also use it to extend the Armitage GUI for 
Metasploit. To prevent self-aware bots from 
taking over the world, Cortana has blanket 
safety features to provide positive control when 
enabled. This talk will introduce Cortana, the 
automation gap it fills, and its capabilities to 
you. You will see several demonstrations of 
Cortana in action and get a flavor of what's 
now possible. Cortana was developed through 
DARPA's Cyber Fast Track program. 


FERGUS NOBLE 
COLIN BEIGHLEY 


Current GPS receivers found in mobile phones 
etc. are capable of about 5m accuracy but 
high-end receivers costing thousands can get 
this down to centimeters just using some more 
sophisticated algorithms and processing. This 
really opens up a lot of opportunities for UAVs 
and Quadcopters (and other applications we 
haven't even thought of — what would you use 

it for?) and we would like to see this level of 
performance available in an open-source system. 


We have developed and would like to share with 
you a new set of tools which we hope will make 
GPS accessible to hackers and experimenters; 

a library, libswiftnav, which contains a complete 
toolset for building a GPS receiver, and Piksi, 

a stand-alone hardware platform to run it on. 
The prototype is already very capable — we 
can't wait to see what you can come up with. 


JASON A. NOVAK 


ANDREA (DREA) LONDON 


This presentation will debut SQL Relnjector, a tool 
for the rapid assessment of logs from SQL injection 
attacks to determine what data was exfiltrated. 


When responding to an SQL injection attack, 
responders have to determine what was exfiltrated 
by manually parsing the web server logs from the 
victimized host. This is a time consuming process 
that requires a significant amount of a responder's 
time. Moreover, manual replay of the SQL injection 
does not account for system level discrepancies in 
how queries are executed by the system — running 
SQL against a SQL server directly doesn't account 
for the behavior of any intermediary systems — e.g. 
any application layer logic or nuances in how the 
web application and database server interact. 


SQL Relnjector uses the log files from the 
machine that has been subject to a SQL injection 
attack to replay the attack against the server 

(ora virtualized forensic image thereof) and 
captures the data returned by the SQL injection 
web site requests, reducing the amount of time 
responders have to spend looking at web server 
logs and allows for responders to recreate the 
data exfiltrated through a SQL injection attack. 


KURT OPSAHL 
MARCIA HOFMANN 
HANNI FAKHOURI 
PETER ECKERSLEY 
EVA GALPERIN 


TREVOR TIMM 


Get the latest information about how the law is 
racing to catch up with technological change from 
Staffers at the Electronic Frontier Foundation, the 
nation’s premiere digital civil liberties group fighting 
for freedom and privacy in the computer age. This 
session will include updates on current EFF issues 
such as Surveillance online and fighting efforts 

to use intellectual property claims to shut down 
free speech and halt innovation, discussion of our 
technology project to protect privacy and speech 
online, updates on cases and legislation affecting 
security research, and much more. Half the session 


willbe given over to question-and-answer, so it's 
your chance to ask EFF questions about the law 
and technology issues that are important to you. 


JASON OSTROM 
JKARL FEINAUER 


WILLIAM BORSKEY 


In this talk, we will explore the so-called market 
buzz of “UC Federation”. Rather, we will kick this 
term to the bit bucket, and present an overview 

of how the industry is deploying these solutions 
technically. We will take a closer look at the security 
of being able to use UC between organizations, 
advertised using DNS, the same way that 
companies use UC internally for VoIP, HD Video, 
data sharing, IM & Presence, and collaboration 
applications. This talk is divided into three sections. 


First, we'll share our research on the state 

of public SIP peering using DNS SRV.Is SIP 
peering proliferating? How? What does it 
mean? Using a PoC research tool, we'll look at 
some initial data we've found, in order to plot 
the increase of peering using DNS SRV records 
for SIP service location advertisement. 


Second, we will show the audience findings 

from our UC "Federation" Honeypot research 
project. We've built a UC solution using a large 
commercial vendor, and have tested "Federation" 
with the help of the Global Federation Directory. 
Just to see what would happen. We've also set 

up a network of cloud based UC Federation 
honeypots using open source software, to explore 
attacks against UC Federation Systems. 


Last, we show it can be done and how. Did you 
know that you can set up your own VoIP server 
with DNS based routing and HA and directly 

peer between VoIP servers, providing services 

for your friends and your company from your 
favorite BYOD using an address just like your email 
address, right now? For little to no cost, using 
open source software? It's interesting that when 
companies communicate VoIP inter-domain, the 
most prevalent architecture is to route calls over 

a private network, or through a carrier connected 
to the PSTN. Ironically, the infrastructure has 
existed for years to do direct public SIP peering. 
We'll explore this concept of "Islands of VoIP", and 
bring together our security research findings in this 
area along with industry roadblocks. Can a more 
open standard protocol be adopted using existing 
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\ open source software, to easily UC "Féderate" 


between different vendors? We think this is the 
future. It's exciting, and we want to show it to you. 


BOB PAN 


This concept of APK file infection on Android 

is similar to the concept of PE file infection on 
Windows systems. As the performance of Android 
device has increased, it's become possible to 
implement such a concept in Android systems. 
We will demonstrate how to implement this 
concept. In addition, we will also give a demo 

to show that a PoC virus can infect normal 

APK files in a real Android mobile phone. 


DEF CON DEPARTMENT HEADS 


Have you ever wondered what it takes to put DEF 
CON together, Well now is your chance to find out. 
DEF CON is broken down into 10 departments: 
Security, Networking, Press, Speaker Ops, Contests, 
Vendors, Swag Booth, Registration, Quarter 
Master, and Operations. Each of the department 
heads (aka the DEF CON Planning Staff) will 

be part of this panel and will give an overview 

of what we do the other 361 days of the year to 
plan DEF CON. There will also be time for Q&A 
from the audience so if you want to know how 

we do this, come prepared with questions. 


MICHAEL PERKLIN 


Digital investigations may be conducted differently 
by various labs (law enforcement agencies, private 
firms, enterprise corporations) but each lab 
performs similar steps when acquiring, processing, 
analyzing, or reporting on data. This talk will 
discuss techniques that criminals can use to throw 
wrenches into each of these steps in order to 
disrupt an investigation, and how they can even 
force evidence to be excluded from litigation. Each 
of these techniques can be detected early by an 
investigator who is aware of them, and they can 


9» be avoided if you know what to lookifor. Come 
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learn about Anti-Forensiatechniques; and the 
Anti-Anti-Forensie techniques that mitigate them. 


TOM PERRINE 


This is a retrospective of computer security 
research and the process of building a secure 
operating system for the US government 1983- 
1990. The paper presents the case study of 
Kernelized Secure Operating System (KSOS), 

an Al security-kernel operating system. KSOS 
was written to protect SCl/compartmented data 
(sometimes referred to as “above TOP SECRET”), 
and entered production. KSOS-11 ran on PDP-11, 
and KSOS-32 ran on DEC VaX. KSOS-11 ran in less 
than 64K bytes and was a fully functional OS 
including a security kernel, UNIX compatibility 
layer and first generation TCP/IP stack. 


The design for KSOS was the first operating 
System design that was mathematically 
"proven correct" using formal specifications 
and computer based theorem provers. 


The presentation also discusses the 
computing technology of the day — 16 bit 


. computers, line editors, primitive (by current 
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standards) compilers, theorem provers and 
how that affected development methods 
and what could be accomplished. 


This presentation is a technical retrospective 
of computer security research during 1983 — 
1090 placed in its social and technical context. 
This presentation is being written especially 
for DEF CON's 20th anniversary and has 

never been published before. The last paper 
published specifically on KSOS was at the 7th 
NBS Computer Security Conference in 1984. 


DAN ‘ALTF4’ PETRO 


Reconnaissance on a network has been an 
attacker's game for far too long, where's the 
defense? Nmap routinely evades firewalls, 
traverses NATs, bypasses signature based 
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NIDS, and gathers up the details of your 
highly vulnerable box serving Top Secret 
documents. Why make it so easy? 


In this talk, we will explore how to prevent network 
reconnaissance by using honeyd to flood your 
network with low fidelity honeypots. We then 
discuss how this lets us constrain the problem of 
detecting reconnaissance such that a machine 
learning algorithm can be effectively applied. (No 
signatures!) We will also discuss some important 
additions to honeyd that we had to make along 
the way, and perform a live demonstration of our 
free software tool for doing all of the above: Nova. 


PHIL POLSTRA 


In this talk cheap easily constructed devices 
which can be used to bypass endpoint 
security software by making any USB mass 
storage (flash or hard) drive appear as 


. authorized devices will be presented. 


The design and implementation will be 
discussed in detail. Devices can be constructed 
for approximately $18 and $30 for a small 
package which requires soldering of 4 wires, 
and a slightly larger package which requires 

no soldering, respectively. Some familiarity 
with microcontrollers and C programming 
would be helpful, but not required for 
attendees to get the most from this talk. 


ROBERT PORTVLIET 
BRAD ANTONIEWICZ 


The 4.9Ghz Public Safety Band has been 
deployed to a town near you! Police, Emergency 
Medical, and even Critical Infrastructure (power 
plants, etc.) maintain wireless networks on 

this seemingly ‘hidden’ band — but what's 
actually there? How can you identify and 
monitor these networks? Stop by and find out 
the answers to those questions and more! 


KEVIN POULSEN 


RENDERMAN 


What happens when a hacker gets bored and 


starts looking at an aircraft tracking systems? 
This talk will look at ADS-B (Automatic 
Dependent Surveillance-Broadcast), a common 
technology installed or being installed ona 

vast majority of commercial airliners that 
involves an unencrypted and unauthenticated 
radio broadcast. This technology has some 
interesting features and weaknesses that are 

a useful lesson in failures when security is not 
built in from the beginning. This talk constitutes 


. awork in progress and hopes to spur more 


research and investigation into this field. 


JIM RENNIE 
JENNIFER GRANICK 


On January 19, 2012, Kim DotCom was arrested 

in a dramatic raid after being indicted on 

federal criminal charges that he knew that his 
website, MegaUpload, was a haven of piracy and 
counterfeiting. In the days that followed, the media 


commented on the presumed guilt of MegaUpload. 


In this debate, Jim argues that the law and 
evidence clearly point to MegaUpload's officers 
being found guilty, while Jennifer will argue that 


_ the MegaUpload case is built on unprecedented 


and wrongheaded interpretations of copyright 
law, and thus the principles should be found not 
guilty. The debate will concentrate on the charges 
of conspiracy to commit copyright infringement 
and aiding & abetting copyright infringement. 
After the arguments and rebuttals, the audience 
will vote and decide the fate of MegaUpload. 


RYAN REYNOLDS 


JONATHAN CLAUDIUS 


- The precursor to cracking any password is getting 


the right hash. In this talk we are going to cover 
how we discovered that Cain and Able, Creddump, 


hh Metasploit.and other hash extraction tools regularly 


yield cornmipt hashes that cannot. be cracked. We 
will take a deep dive into password extraction 
mechanics, the birth of a viral logic flaw that 
started it all and how to prevent corrupt hashes. At 
the conclusion of this talk we will release patches 
that prevent hash corruption in these tools that 
many security professionals use every day. 


MICHAEL ROBINSON 
CHRIS TAYLOR 


Commercial spyware is available for mobile 
devices, including iPhones, Android Smartphones, 
BlackBerries, and Nokias. Many of the vendors 
claim that their software and its operation is 
undetectable on the smartphones after setup is 
complete. Is this true? Is there a way to identify 


whether or not some jerk installed spyware on your 


mobile phone or are you destined to be PWN'd? 


This presentation examines the operation and 
trails left by five different commercial spyware 
products for mobile devices. Research for 
both Android and iPhone 4S will be given. A 
list of results from physical dumps, file system 
captures, and user files will be presented to 
show how stealthy the spyware really was. The 
results from the analysis of the install files will 
also be presented. From this information a list 
of indicators will be presented to determine 
whether or not spyware is on your phone. 


SERGIO ‘FLACMAN’ VALDERRAMA 
CARLOS ALBERTO RODRIGUEZ 


When there's no technical vulnerability to 
exploit, you should try to hack what humans left 
for you, and believe me, this always works. 


Scylla provides all the power of what a real 
audit, intrusion, exclusion and analysis tool 
needs, giving the possibility of scanning 
misconfiguration bugs dynamically. 


Scylla aims to be a better tool for security 
auditors, extremely fast, designed based on real 
scenarios, developed by experienced coders 
and constructed with actual IT work methods. 


The words "Configuration Tracer" are the best 
definition for Scylla, a tool to help on IT audits. 


BRUCE SCHNEIER 


Bruce Schneier will answer questions topics 
ranging from the SHA-3 competition to 
the TSA to trust and society to squid. 


REBECCA ‘BX’ SHAPIRO 
SERGEY BRATUS 


The Executable and Linkable Format (ELF) is 
omnipresent; related OS and library code is run 
whenever processes are set up and serviced 
(e.g., dynamically linked). The loader is the stage 
manager for every executable. Hardly anyone 
appreciates the work that the ELF backstage 
crew (including the linker and the loader) puts 
in to make an executable run smoothly. While 
the rest of the world focuses on the star, hackers 
such as the Gruggq (in Cheating the ELF) and 
Skape (in Locreate: An Anagram for Relocate), 
and the ERESI/ELFsh crew, know to schmooze 
with the backstage crew. We can make a star 
out of the loader by tricking it into performing 
any computation by presenting it with crafted 
but otherwise well-formed ELF metadata. We 
will provide you with a new reason why you 
should appreciate the power of the ELF linker/ 
loader by demonstrating how specially crafted 
ELF relocation and symbol table entries can act 
as instructions to coerce the linker7loader into 
performing arbitrary computation. We will present 
a proof-of-concept method of constructing ELF 
metadata to implement the Turing-complete 
Brainfuck language primitives and well as 
demonstrate a method of crafting relocation 
entries to insert a backdoor into an executable. 


MICKEY SHKATOV 
TOBY KOHLENBERG 


Why send someone an executable when you 

can just send them a sidebar gadget? We will 

be talking about the windows gadget platform 
and what the nastyness that can be done with it, 
how are gadgets made, how are they distributed 
and more importantly their weaknesses. Gadgets 
are comprised of JS, CSS and HTML and are 
application that the Windows operating system 
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~ has embedded by default. As a resultthere are 


a number of.interesting attack vectors that are 
interesting to explore and take advantage of. 


We will be talking about our research into 
creating malicious gadgets, misappropriating 
legitimate gadgets and the sorts of flaws 

we have found in published gadgets. 


CHRISTOPHER SOGHOIAN 
BEN WIZNER 


CATHERINE CRUMP 


ASHKAN SOLTANI 


Our mobile phones and'apps systematically 
collect and store comprehensive historical lists 

of our locations and our travels. Advertising 

and marketing companies extract. and interpret 
these lists for use in their information-gathering 
networks, effectively turning our phones into 
24/7 location tracking devices. Because this 
information is readily available to the government, 
law enforcement agencies now have unparalleled 
access to knowledge of where you are, where 
you've been, and through inference, who you are. 


In this panel, tech experts Christopher Soghoian 
and Ashkan Soltani, alongside Catherine Crump, 
staff attorney with the ACLU'S Project on Speech, 
Privacy, and Technology, will present a briefing 
on the current technological and legal landscape 
of location data tracking. The panelists will 
explore how consumer location tracking efforts 
weave a story about the systemic privacy 
vulnerabilities of smart phones and the legal 
ways in which law enforcement has been able. 

to hitch a ride. The panel will be moderated by 
the Director of the ACLU's Project on Speech; 
Privacy, and Technology, Ben Wizner. 
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ADITYA K. SOOD 


RICHARD J. ENBODY 


Botnet designs are becoming more robust and 
sophisticated with the passage of time. While 

the security world is grappling with the security 
threats posed by Zeus and SpyEye, a new breed 

of botnets has begun to flourish. Present-day 
botnets such as smoke, ICE-X, NGR, etc use a mix 
of pre-existing and newly developed exploitation 
tactics to disseminate infections. Botnets have 
been successful in bypassing advanced defense 
mechanisms developed by the industry . This talk 
will take you to the journey of the lives of present- 
day botnets. With a good set of demonstrations, we 
will dissect the crux of upcoming breed of botnets. 


JAYSON E. STREET 


Have you ever found yourself thinking “Boy | sure 
wish | could witness a guy rant for 20 minutes and 
barely come up for air" or maybe "I sure wish | could 
have seen firsthand an old time tent revival with a 
preacher screaming at me" Well then great news 
you are in luck. This is a talk on not just how we 
need to take a hard look at how we interact with 
people outside of our field. It also addresses how 
we can escape the echo chamber and hopefully 
burn it to the ground as we leave! All presented in 
a hopefully comical but most likely just ranty way! 


CHRIS ‘THE SUGGMEISTER’ SUMNER 
RANDALL WALD 


Recent research has identified links between 
Psychopaths and the language they use (Hancock 
et al 2011), with media reports sUggesting that 
Such knowledge could be applied to social 
networks in order help Law Enforcement 
Agencies expose "Psychopath killers' traits". 

This is the first public study to research 
Psychopathy in the context of social media. 
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Results show that there are a number of 
statistically significant correlations between an 
individual's darker personality traits and their 
Twitter activity. We also identified links between 
users’ attitudes to privacy, their personality 
traits and their twitter use. We will present the 
improvement gains possible through the use of 
machine learning for personality prediction and 
share the models and techniques employed. 


In addition to presenting our results, this talk 
will provide an introduction into identifying 
psychopathic traits using the Hare Psychopathy 
Checklist (PCL-R), present the technical 
approaches to collecting, storing and analyzing 
Twitter data using Open Source technologies 
and discuss the current ethical, privacy and 
human rights concerns surrounding social 
media analysis, vetting and labeling. 


We will conclude with two proof of concept works, 
the first using the visualization tool Maltego to 
explore how visual analysis could be used to 
identify potential troublemakers at events such 

a far right demonstrations; the second to look 

at how personality traits influence response 

and interaction with a benign Twitter Bot. 


CHRISTOPHER “BIGGUN” TARNOVSKY 


The STMicroelectronics STI9SWL18P TPM die-level 
analysis. Companies like Atmel, Infineon and ST 
are pushing motherboard manufacturers to use 
these devices. End-users trust these devices to 
hold passwords and other secrets. Once more, | 
will show you just how insecure these devices are. 


RICHARD THIEME 


Thieme’s keynote at DEF CON 4 for a few 
hundred people was “Hacking as Practice for 
Trans-planetary Life in the 21st Century.” Mudge 
recently said, “Some of us knew what you 
meant,and some of us thought you were nuts.” 
That's likely to be theresponse to this talk too. 
Thieme addresses what he said 17 cons ago, why 
it was true, and illuminates some likely futures 
for hacking and hackers, anonymous 2.0.1, and 


the gray space of the noir world in which 6neis 
deemed a “criminal,” not because of what one 
does, but according to who one does it for. 


Identity, in short, is destiny. More than ever, 
identity is a choice, modular and fluid. 


Mudge was with the lOpht then, now he's 
with DARPA. Jeff Moss was an entrepreneurial 
hacker, now's he's with Homeland Defense. 
Too many to name work in agencies or 
stateless names and nameless states, 


. fulfilling the vision of Thieme's first speech. 


But that was then. What's likely to be next? 


JOSH ‘MONK’ THOMAS 
JEFF ‘STOKER’ ROBBLE 


Join the SPAN team for a deep dive into the 
Android network stack implementation and its 
limitations, an analysis of the Wi-Fi chipsets in 
the current generation of smart phones anda 
collection of lessons learned when writing your 
own network routing protocol (or 5 of them). 

The team will also share a “How To” walkthrough 
into implementing your own Mesh network and 
incorporating general “Off Grid” concepts into 
your next project; this will include securing your 
mesh from outside parties while tunneling and 
bridging through the internet. The team will 
delve into specific Android limitations of Ad-Hoc 
networking and provide workarounds and bypass 
mechanisms. Lastly, the team will give an overview 
of the implementations and network surfaces 
provided by the new collection of networking 
alternatives, including NFC and Wi-Fi Direct. 


THOR (HAMMER OF GOD) 


When thinking like a “bad guy” with the 

goal of distributing any number of covert 
communications to any number of recipients, 
there are anumber of critical attributes which 
should be present. The message should: 


— Be portable and "self-sustaining. 

— Be able to be propagated without 

the originator actually having to *own* 

the message or carry it on him. 

— Have the ability to control which recipients 
receive/can read the message. 


— Have the messages backed up and 

managed by a 3rd party in perpetuity. 

= Be freë 

— Bevable to be received without any 

privileged access to equipment or require 
specialized equipment to receive. 

— Be detection resistant, or even detection PROOF. 


This session will be about how to go about just 
that. ALL of these attributes will be satisfied, 

and | will illustrate how you can literally have a 
"detection-proof" covert communication. | don't 
think l've ever said that before, and just writing 
the words "detection-proof" makes me cringe just 
a bit. But l've racked my brain on a way to detect 
what I'll show you and | can't find a way to do it. 


That will be the other cool part of this talk — we'll 
all brainstorm at the end on a way to detect this. 
| bet you can't. :) To me, this is the epitome of 
what DEF CON is about, and | hope you'll join 

me at this talk. Besides, my super-hot wife will 
be there. Get hammered at Hammer of God!!! 


MARC WEBER TOBIAS 


MATT FIDDLER 
TOBIAS BLUZMANIS 


Insecure designs in physical security locks, safes, 
and other products have consequences in terms 
of security, liability, and even loss of life. Marc 
Weber Tobias and his colleagues Tobias Bluzmanis 
and Matthew Fiddler will discuss a number of 
cases involving design issues that allow locks 

and safes to be opened in seconds, focusing on 
consumer-level containers that are specified as 
secure for storing valuables and weapons, and 
in-room hotel safes that travelers rely upon. 


In one instance, the insecurity of a consumer gun 
safe that is sold by major retailers in the United 
States played a part in the death of a three year old 
child who was able to gain access to a handgun 
that was locked in a supposedly secure container. 


The presenters will demonstrate different 
product designs that were represented 
as secure but in fact are not. 


BEN TOEWS 
SCOTT BEHRENS 


Blind SQL injection can be a pain to exploit. When 
the available tools work they work well, but when 
they don't you have to write something custom. 
This is time-consuming and tedious. This talk will 
be introducing a new tool called BBOSQL that 
attempts to address these concerns. This talk 
will start with a brief discussion of SQL Injection 
and Blind SQL Injection. It will then segue into 

a discussion of how BBQSQL can be useful in 
exploiting these vulnerabilities. This talk will 
cover how features like evented concurrency and 
character frequency based searching can greatly 
improve the performance of a SQL Injection 

tool. This talk should leave you with enough 
knowledge to begin using BBOSQL to simplify 
and speed up your application pentests. 


MATTHEW TOUSSAIN 
CHRISTOPHER SHIELDS 


Walk into Starbucks, plop down a laptop, 

click start, watch the credentials roll in. Enter 
Subterfuge, a Framework to take the arcane 

art of Man-in-the-Middle Attacks and make 

it as simple as point and shoot. Subterfuge 
demonstrates vulnerabilities in the ARP Protocol 
by harvesting credentials that go across the 
network, and even exploiting machines through 
race conditions. Now walk into a corporation... 


A rapidly-expanding portion of today's Internet 
strives to increase personal efficiency by turning 
tedious or complex processes into a framework 
which provides instantaneous results. On the 
contrary, much of the information security 
community still finds itself performing manual, 
complicated tasks to administer and protect 
their computer networks. The purpose of this 
presentation is to discuss a new Man-In-The- 
Middle attack tool called Subterfuge. Subterfuge 
is a simple but devastatingly effective credential- 
harvesting program, which exploits vulnerabilities 
in the inherently trusting Address Resolution 
Protocol. It does this in a way that even a non- 
technical user would have the ability, at the push 
of a button, to attack all machines connected 

to the network. Subterfuge further provides the 
framework by which users can then leverage 
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a MITM attack to.do anything from browser/ 
service exploitation to credential harvesting; 
thus equipping information and network security 
professionals and enthusiasts alike with a 

sleek "push-button" security validation tool. 


VISS 


Shodan is commonly known for allowing users 

to search for banners displayed by a short list of 
services available over the internet. Shodan can 
quite easily be used for searching the internet for 
potentially vulnerable services to exploit, but it’s 
also a powerful defensive posturing tool as well as 
the first step in aggregating wide scopes of data 
for mining. Everyone knows routers, switches and 
servers are connected to the internet — but what 
else is out there? Has anybody even looked? | 
suspect people stop after the popular searches 
and forego what’s left. Did you know there are 
hydrogen fuel cells attached to the internet? Some 
of my findings were pretty surprising, and these 
discoveries are an excellent metric for identifying 
how successful our security campaigns as an 
industry are. It's a way to measure our success 

as a whole, by scanning the entire internet. 


PAUL VIXIE 


ANDREW FRIED 


Shodan is commonly known for allowing users 

to search for banners displayed by a short list of 
services available over the internet. Shodan can 
quite easily be used for searching the internet for 
potentially vulnerable services to exploit, but it's 
also a powerful defensive posturing tool as well as 
the first step in aggregating wide scopes of data 
for mining. Everyone knows routers, switehes and 
servers are connected to the internet — but'what 
else is out there? Has anybody even looked? | 
suspect people stop after the popular searches 
and forego what's left. Did you know there are 
hydrogen fuel cells attached to the internet? Some 
of my findings were pretty surprising, and these 
discoveries are an excellent metric for identifying 
how successful our security campaigns as an 
industry are. It’s a way to measure our success 

as a whole, by scanning the entire internet. 


j MARK WEATHERFORD 


"Never fail to distinguish what's new, from what's 
new to you.” This rule applies to a lot people 
when they think about innovation and technology 
in the government. At the U.S. Department of 
Homeland Security, in addition to running the 
National Cybersecurity and Communication 
Integration Center (NCCIC), the US-CERT and 
the ICS-CERT, they work daily with companies 
from across the globe to share critical threat and 
vulnerability information. DHS also supports and 
provides funding for a broad range of cutting- 
edge cybersecurity research initiatives, from the 
development and implementation of DNSSEC to 
sponsoring the use of open source technologies 
and from development of new cyber forensics 
tools to testing technologies that protect the 
nation's industrial control systems and critical 
infrastructures. This is not your grandfather's 
Buick! During this presentation Deputy Under 
Secretary for Cybersecurity Mark Weatherford will 
talk about research and training opportunities, the 
growing number of cybersecurity competitions 
sponsored by DHS, and how they are always 


- looking to hire a few good men and women. 


PAUL WILSON 


Paul Wilson is the writer and star of “The Real 
Hustle" and creator of "The Takedown" on Court 
TV and "Scammed" on The History Channel. 

He is one of the world's finest magicians and 

an expert on cons, scams, casino cheating and 
gambling sleight of hand. He has pulled more 
confidence tricks than anyone in history in his 
efforts to inform and protect the public. 


This talk will include a live con game, 
cheating devices and reasons why 
people will always be vulnerable. 


DAN ZULLA 


A new approach for web vulnerability scanning 
that outbids most existing scanners. 


PRIEST AND PANEL 

Back at DC9 a brave MIB from the CIA received 
clearance and volunteered to answer any and 
all DC attendee's questions with no restrictions 
as honestly as he could. After that experience 
it's only taken us 10 years to get several 
someone's to come back and do it again! 


This will be your chance to meet and ask any 
question you want of the so called Men (and 
Women) in Black. Representatives from the 
NRO, CIA, NSA, DIA, and US Military will field 
any and all questions you have on any topic you 
want. However you may not like the answers. 


We promise there will be no extreme renditions, 
water boarding, assassinations, or mind 


. control unless you really truly deserve it. 


meatspace. 


| CON fans in your zip 


If there's one idea we M 
want all new Con-goers è 
to leave with, it’s that DEF i 
CON is alot more than 
an annual event. Over 
the past 20 years, DEF 
CON has grown into a ? 
real global community $. 
We take pride in getting 
all these bright, curious 
and motivated people 

all in one place to learn, 
to socialize, and to 
recalibrate their livers, but 
we don't want any of it to 
end on Sunday afternoon. ~<" 
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Y rolar to group code 


Fortunately , it doesn't. 
The DEF CON forums 

are full of ways to 

keep your DEF CON 
experience going until we 
are all together again in 


Want to meet other DEF 


code? Every DC Group 
hasa thread in our forum 
so that you can find out 
what they're up to. Feel 
like you need to talk 
about a presentation you 
saw here? Want to get 
involved in a DC event? A 
lot of the planning goes 
on in the Forums, too, so 


— 


One thing we never get enough of hereat DEF CON HQ is pictures of the Con. 

We love to digitally immortalize the dunk tanks, the toxic BBOs, what have you. 

And since we couldn't help but notice that mostof you are walking around with 

approximately 2.3 HD-capable digital cameras in your various tactical cargo pockets 
- and backpacks,we'd like to ask for your help: If.you take pictures you think are cool of 

DEF CON events, presentations or jUSt general ambience, please share them with us 

at pics.defcon.org. 


Its wins all around =you getto share your CONmemories with the community, we 


if you have [good] ideas, = get pictures to use in our projects and-some of Us will be grateful to know exactly 
we encourage you to drop _§ what was going on inthe hours they can't ac-count for. 
in and share them. Please note that many DEF CON attendees are camera-shy for a variety of reasons, 


So etiquette is a must. It's better to askif Someone minds having a picture taken in 


Sure, it might be a while 
, their airspace than to find out too late that they do. 


unti the next DEF CON, 
but we've gota nice place 


to hang until then. J We look forward to seeing your pics, and archiving them online for posterity. 


The American .Givil Liberties Union of Northern Califotnial Works dailysincourtssle gislaturesiand communities to defend and: 
preserve the individual rights and liberties that the Constitution and laws of the United States guarantee everyone in this 
country. ACLU-NC's Demand Your dotRights Campaign highlights the need for modern privacy protections to match the 
technology we develop and use. We work with users, technologists, businesses, and lawmakers to update legal and practical 
protections so that users don't have to choose between taking advantage of new technology and losing control of their personal 
information. Please stop by our booth in the vendor area to learn more about our campaign and what you can do to help! 


Bump My lock 

This is our 5th year as a vendor at DEF CON! We have added over 150 new tools in our catalog. If we don’t have it at the booth, 

go to www.bumpmylock.com. Free demonstrations and training at our booth. BumpMyLock’s sister-site, ACE Hackware, is your 
premier source for hackware, spy gear, disguises, surveillance and night vision equipment for penetration testing, ethical hacking 
and social engineering. ACE Hackware was founded by long-time pentester and hacking countermeasures instructor Taylor Banks 
with the help of a close-knit group of hacker friends who know exactly what you need to perform professional penetration tests, 
physical security audits and social engineering engagements. 5% of all our sales will go to the Miracle Match Foundation. 


BREAKPOINT Books 


BreakPoint Books is your official conference bookstore on site at DEF CON. We'll have all your favorite books for sale and we're conveniently 
located in the Vendor Area. Make sure to stop by and view the titles in stock and purchase a few written by some of your favorite authors! 


ELECTRONIC FRONTIER FOUNDATION 

The Electronic Frontier Foundation (EFF) is the leading organization defending civil liberties in the digital world. We defend free 
speech on the Internet, fight illegal surveillance, support freedom-enhancing technologies, promote the rights of digital innovators, 
and work to ensure that the rights and freedoms we enjoy are enhanced, rather than eroded, as our use of technology grows. 


- GHETTOGEEKS 


Well we're back at it again, and have been working hard all year to bring you the freshest awesome that we can. If you 
have been to DEF CON, layerone, toorcon, phreaknic, or other conferences we have been at, you definitely know what 
so of shenanigans we are up to. If you have never seen us, feel free to come by and take a look at what we have to offer. 
Always fun, always contemporary, GhettoGeeks has some for the tech enthusiast (or if you prefer, hacker) 


THE HACKER ACADEMY 

The Hacker Academy (THA) is an online learning platform for ethical hacking and penetration testing that provides real world tools, 
concepts, and 24/7 hands on training in a cloud based environment. The Hacker Academy provides a true understanding of how 
hacking actually works and what it feels like from a “bad guys” perspective, which arms you with the knowledge to protect your own 
systems. THA is a division of MAD Security, a boutique information security training firm that focuses on improving the security of their 
clients through improvement in user behavior and the skills of their technical staff. Improve your humans, Improve your security. 


HACKERSTICKERS.COM 


HackerStickers.com offers the best in hacker threads, caffeine, technology and mind bending 
tools for all trades. Official reseller of DEF CON swag after the con! 


HAKS 

HakShop: host of security products from world renowned researchers, is your source for the highest quality hacker gadgets. 
With an arsenal of WiFi honey-pots, HID attack tools, Wireless brute-forcers and even monitoring equipment — let's just say 
if 007 were a pen-tester he'd be rocking our gear. Come by our booth today for a demo by Shannon Morse of Hak5. 


- ABGEX 


Customize T shirts & Stickers on the spot at DEF CON 20 


“ECO 


Our 15th year at DEF CON! From Parts and Subassemblies, Test Equipment, and Military Hardware, to Security Equipment, and 
Fetish Clothing! MECO strives to bring you an eclectic mixture of the finest techno-trinkets.... Stop on by and see us! 


NINJA NETWORKS 


Ninja Networks returns with their limited edition challenge coins, custom made for DEF CON each year. Once 
they’re gone, they’re gone, and never remade. Please note that our most popular designs have always sold out 
by Saturday. (Note for feds/spooks/etc: We do trade coins. Ask at the booth or track down barkode.) 
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NO STARCH PRESS ww. 
No Starch Press is one of the few remaining independent computer book publishers. New for 2012: Practical 
Malware Analysis, LEGO Heavy Weapons, The Manga Guide to Linear Algebra, The Tangled Web, Ubuntu for 
Your Mom, Wonderful Life with the Elements, Super Scratch Programming Adventure!, Think Like a Programmer, 


and more. Stop by for some stickers, maybe a shotglass, other swag, and save 309/ on everything. no starch 

press 
NULL SPACE LABS 2 wl " 
Electronic devices for the modern hacker. n u | | | a b S 
PWAYIE EXPRESS 


Pwnie Express specializes in bleeding edge pentesting hardware, including the first-to-market commercial 
pentesting dropbox, the Pwn Plug. A full pentesting suite packed into an inconspicuous microserver, the Pwn 
Plug uses covert tunnels and 3G/GSM cell service to maintain an encrypted, firewall-busting backdoor into your 
target network. Stop by our booth early as we'll be unveiling TWO NEW PRODUCTS at DEF CON 20! 


SECURITY $N0BS 


Security Snobs offers High Security Mechanical Locks and Physical Security Products including door locks, padlocks, cutaways, security 
devices, and more. We feature the latest in security items including top brands like Abloy, BiLock, KeyPort, TiGr, and Sargent and Greenleaf. 
Visit https://SecuritySnobs.com for our complete range of products. Stop by our booth and get free shipping on items for the month following 
the conference. Featuring the mobile alarm system, solid Titanium bike lock, $1500 padlock, and a variety of other unique products. 


SEREPICK 


SEREPICK specializes in custom, covert entry tools and kits for the Urban Penetration Tester. Our flagship 
product is the Titanium Bogota Entry Toolset which will again be available in various configurations. We will 
also be offering complete kits including our custom Titanium, Polymer and Ceramic tools. 


SHADOWVEX INDUSTRIES 


Hacker culture relevant and artistic driven-limited production high quality girls & boys t-shirts and hoodies. Fresh DJ mixes of 
the finest electronic music from the underground. Zero-day custom vinyl stickers, posters and buttons and more of your favorite 
nick-hacks! Some extra special items will be available in celebration for 20 years of shaping technology-as-we-know- it! 


SIMPLE Will 


SimpleWiFi specializes in long range WiFi antennas, cables and USB adapters. We manufacture in south Florida most 
of our antennas and cables as well as quality control on all our products that pass through our doors. 


TABLE OF AMPLE RANDOM DOODADS INCLUDING STICKERS (TARDIS) 


Every year we've sold electronics kits — trying to get people more involved with hardware. We will 
have stickers and other randomness too! Come visit the TARDIS in the vendor area. 


TO00L 


The Open Organisation of Lockpickers will have available a wide selection of tasty lock goodies for both the novice and master 
lockpicker! A variety of commercial picks, handmade picks, custom designs, practice locks, handcuffs, cutaways, and other 
neat tools will be available for your perusing and enjoyment! All sales directly benefit TOOOL, a non-profit organization. 
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UNIVERSITY OF ADVANCING TECHNOLOGY eatin 
The University of Advancing Technology (UAT) is a private university located in Tempe, Arizona, offering academic degrees focused on new , 
and emerging technology disciplines. UAT offers a robust suite of regionally accredited graduate and undergraduate courses ranging from 
Computer Science and Information Security to Gaming and New Media. UAT has been designated as a Center for Academic Excellence 

in Information Systems Security Education by the US National Security Agency. Programs are available online and on-campus. 
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U"IXSuRPLUS 

“Home of the $99 1U Server" 

1260 La Avenida St Mountain View, CA 94043 
Toll Free: 877-UNIX-123 (877-864-9123) 
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Watching movieswith DTonFridayand Saturdaynightisa 
time-honored DEFCON tradition. Let the rubes brave 

the heat ofthe Strip, join usin air-conditioned comfort to 
watcha movie and meet some of the filmmakers. The movies 
are shown inTrack 2! 


We are very excited to announce an Exclusive Sneak Preview screening of 
the film Reboot at DEF CON 20! Stay after for Q&A with the filmmakers and 
cast! Here's a little glimpse into the film: 
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Join us for a screening of the hit movie “21” and stick around for a Q&A | 
session with “MIT Mike” Aponte, the real-life inspiration for the character | 
“Jason Fisher”. 


In contemporary Los Angeles, a young female hacker (Stat) awakens 
from unconsciousness to find an iPhone glued to her hand and a 

. mysterious countdown ticking away on the display. Suffering from head 
-. trauma, and with little recollection of who she is or what is happening, 

. Statraces against time to figure out what the code means, and what 
unknown event the pending zero-hour will bring. 


"MIT Mike" Aponte Mike Aponte is a world-renowned blackjack player, 
gaming consultant and professional speaker. Mike was the leader of the 
MIT Blackjack Team, a high stakes card-counting team that legally won 
millions at 21 using mathematics and an ingenious approach. Mike was 
one of the main characters in the New York Times bestseller, Bringing 
Down the House, which inspired the major motion picture, 21. 


GE. (SSS tj a wp JERR on! SATURDAY, 21:00 
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"We Are Legion: The Story of the Hacktivists” is a documentary that takes 

Us inside the world of Anonymous, the radical “hacktivist” collective that 

has redefined civil disobedience for the digital age. The film explores the t 
historical roots of early hacktivist groups like Cult of the Dead Cow and 

Electronic Disturbance Theater and then follows Anonymous from 4chan to 

a full-blown movement with a global reach; one of the most transformative 

of our time. 


We will be the first hacker con to have the film shown and we are pretty 
excited about it. The filmmaker will be present and doing a Q & A after the 
screening! Check out code2600.com for more info! LT S E E E 
WE ARE LEGION 
CODE 2600 documents the rise of the Information Technology Age.as told through 
the events and people who helped build and manipulate it. The film explores the 
impact this new connectivity has Onur ability to remainhüman while maintaining 
our personal privacy and security. AS we struggle to comprehend the wide-spanning 
socio-technical fallout caused by data collection and social networks, our modern 
culture is trapped in an undercurrentof cyber-attacks, identity theft and privacy 
invasion. Both enlightening and disturbing, CODE 2600 is a provocative wake-up 
call for a society caught in the grips of a global technology takeover. 
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We might even get lucky and have some cast and 
crew in attendance fora short Q&A! 
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DEE CON 101 


DC101 is the Alpha to the closing ceremonies’ 
Omega. It’s the place to go to learn about 
the many facets of Con and to begin your 
Defconian Adventure. Whether you’re a 
nOOb or along time attendee, DC101 can 
start you on the path toward maximizing 
your DEF CON Experiences. 


DEE CON 104 — TRACK 1 
Wireless Security: Breaking Wireless 
Encryption Keys 

DaKahuna 


Intro to Digital Forensics: Tools & Tactics 
Ripshy & Jacob 


Cerebral Source Code 
Siviak 


DC101: DEF CON Survival 
HighWiz, Lockheed, Runnerup, Roamer, AlxRogan, 
PyrO, Flipper 


Screw the Planet, Hack the Job! 
Roamer, Lockheed, Heather, Alxrogan 


HF skiddies suck, don't be one. Learn some 
basicPython. 
Terrence “tuna” Gareau 


Hacking the Hackers: How Firmis Your 
Foundation? 
LoST 


Funwith the Lockpick Village 
Dr. Tran 
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HACKER KARAOKE 


Thursday: 21:00-02:00, Friday: 21:00-02:00 


Do you like music? Do you like performances? 
Want to BE the performer? Well trot your 
happy ass down to Hacker Karaoke, DEF 
CON's first on-site karaoke experience where 
you can bea star, even if you don't know it. 
Don't want to be a star? At Hacker Karaoke 
you can also take pride in making an utter 
fool of yourself. Join Bascule and OverDose 
as we put the casbah in *Rock the Casbah". 


Toxic BBQ 


Thursday 16:30-22:00, Sunset park 


Every year thousands of Hackers and 
Computer Security Enthusiasts attend DEF 
CON the worlds largest underground hacking 
convention. Before the convention starts the 
Toxic BBQ is held. Its an event put together 
by attendees, not funded, organized, or 
sanctioned by the convention. Attendees 
donate thier time, money and food, and put 
together a huge kickoff to the con. 


Every year attendance grows, and so does 
the selection of food, from Yak & Elk, to Ribs 
& Beer, the Toxic BBQ has something to offer 
everyone. Its not just a place to eat and drink, 
its a place to meet and greet your fellow 
attendees before the con. 


Best of all, its free. You are encouraged to 
contribute something, whether it be food, 
donation, your cooking skills, or even a ride 


THE SUMMIT 


Excited to be back in its 8th year at Defcon!! 


theSummit is a Fundraiser for the Electronic 
Frontier Foundation (EFF) on Thursday Night 
between Black Hat, BSides, and DEF CON 
events. We host this event to offer you the 
opportunity to meet up with many of this 
year's 


speakers and VIPs. It’s not easy to see 
every talk you want, or to track speakers 
down when you have a question. Here is 


your chance get direct access to some of 
theindustry leaders So you Camdiscuss 

a talk, set advice abouta project, orjust 

buy them a beer to say thanks for all the 
hacks. Open to all ages, theSummit is an 
excellent networking opportunity with 

alive auction that often includes keys 

to some of the contests, a full bar, and 
entertainment provided by Dual Core & Dale 
Chase, DJ Jackalope, DJ Sailor Gloom and 
introducing 8Bit Weapon with their original 
chip tunes using vintage computers and 
gaming consoles as instruments. Open Bar 
sponsored by the Digital Liberation Front 
(DLF) while supplies last! As always, 1009/o of 
our proceeds is donated to the EFF. 


theSummit () 


year = 2012; 
Start Time: Thursday, July 26, 2010 at 8:00pm 
Vegas 2.0: bit.ly/effsummit 


End Time: Friday, July 27, 2010 at 2:00am 
Twitter: /effsummit 


Location: Miranda Suite "Chill out lounge" 
Facebook: on.fb.me/Vegas20 

EVENT SCHEDULE 

20:00 Doors Open 

20:30 Meet the Speakers 

21:00 Dual Core & Dale Chase 

21:30 Auction 

22:30 8Bit Weapon 

23:30 Raffle 

00:00 DJ Jakalope 

00:30 DJ Sailor Gloom 

Special thanks to Packet Barron, Ripshy, 
Dallas, Banasidhe, Ohm, Generic SuperHero, 
Beau, Krispy, Charlie, Gru, Str3tch, Vyrus, 
Savant 42, Kos, Blak Dayz, Night Owl, Nick, 
Matt, Salem, Cuddles, Astcell, DJ Jackalope, 
DJ Sailor Gloom, Dual Core, Dale Chase, and 


of course the people behind the EFF that 
make us puke rainbows. 


PENN & TELLER 


TheChristopher Columbus Rule 
andDHS 
Mark Weatherford 


Socialized Data: Using Social 
MediaasaCyber Mule 
Thor 


Cortana: Riseof the Automated 
RedTeam 
Raphael Mudge 


OwningOnetoRuleThemAll 
Dave Kennedy, Dave Desimone 


Changing the Security Paradigm: 
Taking Back Your Networkand 
Bringing Paintothe Adversary 
Shawn Henry 


Detecting Reflective Injection 
Andrew King 


Post-Exploitation Nirvana: 
Launching OpenDLP Agents over 
Meterpreter Sessions 

Andrew Gavin, Michael Baucom, Charles 
Smith 


TRACK 1 


Welcome & Badge Talk 
The Dark Tangent, LoST, Jason Scott 


Trailertothe DEF CON 
Documentary, Introby Dead 
Addict andGail Thackeray 

Jason Scott, Dead Addict, Gail Thackeray 


Shared Values, Shared 
Responsibility 
General Keith B. Alexander 


The Artof Cyberwar 
Kenneth Geers 


Drones! 
Chris Anderson 


AnInsideLook Into Defense 
Industrial Base (DIB) Technical 
Security Controls: How Private 
Industry Protects OurCountry’s 
Secrets 

James Kirk 


Life Insidea Skinner Box: 
Confronting our Future of 
Automated Law Enforcement 
Greg Conti, Lisa Shay, Woodrow Hartzog 


Anti-Forensics and Anti-Anti- 


Forensics: Attacks and Mitigating 


Techniques for Digital-Forensic 
Investigations 
Michael Perklin 


TRACK 2 


Should the Wall of Sheep Be 
Illegal? 

Kevin Bankston 

Matt Blaze 

JenniferGranick 


MegaUpload: Guilty or Not Guilty? 
Jim Rennie, Jennifer Granick 


MeettheEFF 

Kurt Opsahl, Marcia Hoffman, Hanni 
Fakhouri, Peter Eckersley, Eva Galperin, 
Trevor Tim 


Panel: The Making of DEFCON 20 
DEFCON Department Heads 


CryptoandtheCops:theLaw 
of Key DisclosureandForced 
Decryption 

Marcia Hofmann 


Panel: DEFCON Comedy Jam V, V 
forVendetta 

David Mortman, Rich Mogull, Chris Hoff, 
Dave Maynor, Larry Pesce, James Arlen 


TheArtoftheCon 
Paul Wilson 


TRACK 3 


MakingSenseofStatic- New 
Tools for Hacking GPS 

Fergus Noble 

Colin Beighley 


Can You Track Me Now? 
Government And Corporate 
Surveillance Of Mobile Geo- 
LocationData 

Christopher Soghoian, Ben Wizner, 
Catherine Crump, Ashkan Soltani 


Don’t Stand SoClose To Me: An 
Analysis of the NFC Attack Surface 
Charlie Miller 


NFC Hacking: The Easy Way 
Eddie Lee 


Attacking the TPM Part2:Alook 
atthe STISWP18 TPMdevice 
Christopher Tarnovsky 


Bypassing Endpoint Security for 
$20orLess 
Phil Polstra 


Safes and Containers -Insecurity 
DesignExcellence 

Marc Weber Tobias, Matt Fiddler, Tobias 
Bluzmanis 


TRACK 4 


Embedded Device Firmware 
Vulnerability Hunting 
Ang Cui 


APKFileInfectiononan Android 
System 
BobPan 


Passive Bluetooth Monitoring 
inScapy 
RyanHoleman 


Not-So-Limited Warranty 
Darkred 


Not So Super Notes 
Matthew Duggan 


The OpenCyber Challenge 
Platform Project 
Linda C. Butler 


How to Channel YourInnerHenry 
Rollins 
JaysonE. Street 


Bad (and Sometimes Good) Tech 
Policy: It’s Not JustaDC Thing 
Chris Conley 


Scylla: Because Thereis NoPatch 
forHuman Stupidity 
Sergio Valderrama, Carlos Rodriguez 


Drinking From the Caffeine 
Firehose We Know as Shodan 
Viss 


Network Anti-Reconnaissance 
Dan‘AltF4’ Petro 


HowtoHack VMwarevCenter 
Serverin60 Seconds 
Alexander Minozhenko 


Demorpheos 
Svetlana Gaivoronsli, Denis Gamayunov 


NewTechniques inSQLi 
Obfuscation 
Nick Galbreath 


DivaShark - Monitor Your Flow 
Robert Deaton 


BlindXSS 
Adam Baldwin 
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PENN & TELLER 


DefeatingPPTP VPNs and WPAZ 
EnterprisewithMS-CHAPv2 
Moxie Marlinspike, David Hulton, 

Marsh Ray 


Stamp OutHash Corruption! Crack 
All The Things 
Ryan Reynolds, Jonathan Claudius 


CryptohazeCloudHacking 
Bitweasil 


TheEndofthePSTNAs You 
Know it 

Jason Ostrom, Karl Feinauer, William 
Borskey 


Programming Weird Machines 
WithELF Metadata 
Rebecca ‘bx’ Shapiro, Sergey Bratus 


Uncovering SAP Vulnerabilities: 
Reversing and Breaking the Diag 
Protocol 

MartinGallo 


BlackOps 
Dan Kaminsky 


TRACK 1 


Twenty Years Back, Twenty Years 
Ahead: The Arc of DEFCON Past 
and Future 

Richard Thieme 


Hacking Humanity: Human 
Augmentationand You 
Christian 'Quaddi' Dameff 
Jeff'r3plicant" Tully 


DIY ElectricCar 
David Brown 


MoreProjects of Prototype This! 
Joe Grand, Zoz 


<ghzorBust: DEFCON 
Atlas 


The Safety Dance - Wardriving 
the Public Safety Band 
Robert Portvliet, Brad Antoniewicz 


Hacker + Airplanes = No Good Can 
ComeOfThis 
Renderman 


BustingtheBARR: Tracking 
“Untrackable” Private Aircraft 
forFun& Profit 

Dustin Hoffman, Semon Rezchikov 


TRACK Z 


World War3.0 - The battle forthe 
Internet betweentheforces of 
Chaos &Control 

Joshua Corman, Dan Kaminsky, Jeff Moss, 
Rod Beckstrom, Michael Joseph Gross 


BruceSchneier Answers Your 
Questions 
Bruce Schneier 


MeettheFedPanel One 
JimChristy, Leon Carroll, Andy Fried, Jon 
ladonisi, Rich Marshall, david McCallum, 
Justin Wykes 


MeettheFedPanel Two 
JimChristy, Rod Beckstrom, Jerry Dixon, 
Mishel Kwon, Bob Lentz, Riley Repko, Dr. 
Linton Wells, Mark Weatherford 


Q&A withthe Men (and Women) 
inBlack 
Priest, others 


Bigger Monster, Weaker Chains: 
TheNSAandtheConstitution 
Jameel Jaffer, William Binney, James 
Bamford, Alex Abdo 


Connected Chaos: Evolving the 
DCG/Hackspace Communication 
Landscape 

blakdayz, anarchy angel, anch, Dave 
Marcus, Nick Farr 


Panel: Anonymous and the Online 
Fight for Justice 

Amner Lyon, Gabriella Coleman, 

Marcia Hofmann, Mercedes Haefer, Jay 
Leiderman, Gráinne O'Neill 


TRACKS 


Beyond the War onGeneral 
Purpose Computing: What’s 
InsidetheBox? 

Cory Doctorow 


OwningBad Guys {And Mafia} 
With JavascriptBotnets 
Chema Alonso, Manu The Sur’ 


Botnets Die Hard—Ownedand 
Operated 
Aditya K. Sood, Richard J. Enbody 


Hardware Backdooringis 
Practical 
Jonathan Brossard 


Hacking Measured Boot and VEF 
Dan Griffin 


DDoS Black and White “Kungfu” 
Revealed 

Anthony ‘Darkfloyd’ Lai, Tony ‘MT’Miu, 
Kelvin ‘Captain’ Wong, Man ‘Avenir’ Chung 


(BSDaemon) Overwriting the 
Exception Handling Cache Pointer 
-Dwarf Oriented Programming 
Rodrigo Branco, Sergey Bratus, James 
Oakley 


TheDCWGDebriefing - Howthe 
FBlGrabbedaBotandSavedthe 
Internet 

Paul Vixie, Andrew Fried 


Se Si ne o a 73€ | NZ 


TRACK 4 


CreatinganAl Security Kernelin 
the1980s (Using“Stone Knives 
andBear Skins”) 

TomPerrine 


Exploit Archaeology: Raiders of 
theLostPayphones 
Josh Brashars 


IntotheDroid:Gaining Access to 
Android User Data 
Thomas Cannon 


Hellaphone: Replacing the Java 
in Android 
John Floren 


Off Grid Communications with 
Android - Meshingthe Mobile 
World 

münk, Stoker 


Exchanging Demands 
Peter Hannay 


Spyvs. Spy: Spyingon Mobile 
Device Spyware 
Michael Robinson, Chris Taylor 


The Darknet of Things, Building 
Sensor Networks That Do Your 
Bidding 

Anch, Omega 


, 


You know that hollow 
feeling you get on the 


—— last day of DEF CON? 


The awards ceremony is over, the vendors 
are packing it in, the lobby is full of people 
checking out and heading for the airport. 


You're thinking about going back to work, 


about finding yourself away from the tribe 
and back among the Normals. Makes you 
wish DEF CON was going on all year, right? 


The good news is, DEF CON is going on 
all year, and in generally more forgiving 
weather. There are DC Groups all over 
the world. All of them have monthly 
meetings where they discuss some 
meaty technical topic. Some of them 
have hackerspaces,and cool projects. 
Some of them bring in speakers and try 
to keep the info-sharing going on for 

the 361 days when the CON is dark. 


North. 
Atlantic: 
Ocean 


If you’re not linked up with your local 
DC group, you owe it to yourself to get 


| familiar. Interesting people talking 


about interesting tech and bending it to 
interesting purposes, what more could you 
conceivably require? | mean, it's not like 
you're gonna have more fun at the Elks 
lodge. No one teaches you to pick locks 

at Kiwanis Club. To find out if you've got a 
local DC group, check the listing on the DEF 
CON site (https://www.defcon.org/html/ 
DEF CON-groups/dc-groups-index.html) 


If your town doesn’t have a DC group yet, 
you should consider starting one. We 
make it pretty easy. Fill out the form at 
http://goo.gl/hqGQ3, and we'll get back 
to you with your status. Find a place that 
doesn't mind you hanging out and talking 
a bit — libraries can work, parks can work, 
that cool back room at your local caffeine 
dispensary, even. Maybe not your creepy 
unfinished basement, but there really are 
almost endless options. Maybe even throw 


Up a website to keep track of everything. 
You get the cool points for starting the 
group, and when it turns awesome you 
get to make the biggest awesome face. 


The best thing about lugging around these 
giant craniums is that we don't have to 
discover everything ourselves. We can learn 
from each other. Intentional knowledge 
sharing is a force multiplier, and it's the 
thing that moves the world forward. If 

you have cool ideas (and if you didn't, you |- 
probably wouldn't be reading this) then do 
your part for a better tomorrow and start 
sharing them. If you know other smart 

people who need an audience, or who 

just want to get smarter, invite them in. 


"TT | 


It’s pretty win-win. You keep learning 
and sharing what you do with us, and 
we'll keep looking for ways to shine a 
light on all the cool happenings in DCG- 
land. Let's make the Geek Christmas 
feeling of DEF CON last all year long. 
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TRACK 1 


SIGINT and Traffic Analysis forthe Rest of Us 
Sandy Clark, Matt Blaze 


SCADA Strangeloveor: How Learnedto 
Start Worrying andLovethe Nuclear Plants 
Sergey Gordeychik, Denis Baranov, Gleb Gritsai 


Lookingintothe Eyeof the Meter 
Cutaway 


Tenacious Diggity -Skinny DippininaSea 
of Bing 
Francis Brown, Rob Ragan 


Can Twitter Really Help Expose Psychopath 
Killers’ Traits? 
Chris “The Suggmeister” Sumner 


Sploitego - Maltego's (Local) Partner in 
Crime 
Nadeem Douba 


How toHack All the Transport Networks of 
aCountry 
Alberto Garcia Illera 


TRACK 2 


Robots: You’re Doingit Wrong2 
Katy Levinson 


KinectasploitV2: Kinect Meets 20 Security 
Tools 
Jeff Bryner 


CyberPatriot - AStudent's Perspective 
Kevin Houk, Matt Brenner, Jake Robie 


DCRecognize Awards 
Jeff Moss, Jericho, Russ Rogers 


FuzzingOnline Games 
Elie Bursztein, Patrick Samy 


HackingtheGoogleTV 
Amir zenofex Etemadieh, CJ Heres, Dan Rosenberg, 
TomDwenger 


ThePaparazziPlatformFlexible, Open- 
Source, UAS Softwareand Hardware 
esden, dotAero, misterj, cifo 


See 


TRACKS 


Trustwave, OPFOR 4Ever 
TimMaletio,ChristophenPogue: 


Improving Web Vulnerability Scanning 
DanZulla 


Post Metasploitation: Improving Accuracy 
and Efficiency in Post Exploitation Using the 
Metasploit Framework 

egypt 


Weaponizing the Windows APIwith 
Metasploit’s Railgun 
David ‘thelightcosine’ Maloney 


Kevin Poulsen Answers Your Questions 
Kevin Poulsen 


Ownedin 60 Seconds: From Network Guest 
to Windows Domain Admin 
Zack Fasel 


Subterfuge: The Automated Man-in-the- 
Middle Attack Framework 
Matthew Toussain, Christopher M. Shields 


Closing Ceremonies In Track 1 


TRACK 4 


WeHave You by theGadgets 
Mickey Shkatov, Toby 


NoMoreHooks: Trustworthy Detection of 
Code Integrity Attacks 
Xeno Kovah, Corey Kallenberg 


Owning the Network: Adventures in Router 
Rootkits 
Michael Coppola 


Hacking [redacted] Routers 
FX, Greg 


SQL Injection to MIPS Overflows: Rooting 
SOHO Routers 
Zachary Cutlip 


bbqSQL - Blind SQLi Exploitation 
Ben Toews, Scott Behrens 


SQLRelnjector - AutomatedExfiltrated 
Dataldentification 
JasonA. Novak, Andrea London 
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DEF CON is run by volunteers and without them 
nothing would happen. | want to thank all of the 
people, teams, and unsung heroes who made 
this year possible: 


Neil, Nikita, Sleestak, Charel, Zac, Nico, Paralax, Moon Shadow, 
Jeff McN, Dead Addict, LOSTBOY, Will, Uncle Ira, ETA, Black Beetle, 
B.C. Cotman, Chris Eagle, Converge for watching over the DEF CON 


_, Groups for these past years, and to Blak Dayz for following in his 


footsteps. 


The contests and events team run by PyrO and his awesome staff: 
Mar, TheDon, DenHac, and the 303 DC Planning Committee for 
their party planning, badge design, and helping those “other kids” 
win Vegas year after year. 


The Vendor Goons: Roamer, AlxRogan, Evil, Latenite, Redbeard 
and Wad. The Goon Band: Godminusl, Rich, Redbeard, and 
Deviant. Brennan for doing such a great job on the Vendor 
Application this year. Wiseacre for his help with the floor plan. All of 
the DEF CON 20 Vendors. 


The NOC staff who keep things running every year: Lockheed, 
Heather, Mac, effffn, Rukbat, Videoman, Enki, Mac, #Sparky, and 


_ t3ase. This year they have interns — Jared, Justin, and Erik! 


_ Speaker Operations staff for all the long hours, sore feet, and 


missed talks: AgentX: A55mnky, Bitmonk, Bushy, Code24, Crash, 
Dallas, Dapper Dan, Froggy, Gattaca, Goekesmii, Jinx, Jurist, KK, 
Nevada Raven, notkevin, Number2, Pardus, Pasties, Pwcrack, Rich, 
roundRiver, Shadow, Vaedron, WhiskyRomeo & zendog. Finally to 
Quagmire Joe, where ever you are, | look forward to the boat drinks. 


Thanks to the Production & Dispatch team: Charel, Doolittle, 
Kampf, Betsy, Mari, Morgan, Rf, Voltage Spike, Chuck, Noise, Ash 
for leading the Dispatch & Production crew forward. 


Thanks to Uncle Ira, and the Logistics Team of Major Malfunction, 
ETA, Rijil V, Alien, Dodger, and Merlin. 


The schwag team: SunShine, secret, veruus, Amazon, Atucom, Cpt 
Fury, dern, diamiO3, GateKeeper, Gingerjet, globus, g-ziggy, lOrn4, 
Lisa, owaspgirl, Rudy, and scout. 


Information Booth: Ed, Flower, Melloman, Zookeeper, Littlebruzer, 
Littleroo, Jerel; Fran, Jenn, Sanchez, SI33pE, algorythm, Leila 

T., Mojostico, ACRONYM, Project Chatter, madstringer, Titan. 
Awesome Folks!!! 
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Registration team: TW, Tyler, Cstone, Crackerjack, Queen, 6Q, 
Matt, Aaron, Zane and Melissa! 


Security team: bOn3z Blakdayz Captain chosenl chs cjunky 
converge cyber dcOde flea Fox gadsden h3adrush HattoriHanzo 
jake23 jdoll JustaBill kallahar kevine krassi lei Londo Lordy 
lunaslide mattrix MAXIMUS montell noid nynex P33v3 Pappy 
Pescador pfriedma polishdave priest quiet rik skydog Synn tacitus 
trinity Vidiot wham WhiteBOrd Xtasy Evil Phreck Queeg Amber 
Angie Kruger GM1 Danozano CyMike Fox. Capt Arclight 


Entertainment Staff and acts: object D, An Hobbes, Dr. Raid, 

Y TCracker, Dual Core, Dale Chase, MC Frontalot, Mochipet, Saint 
Vil, The Goon Band, Minibosses, REGENERATOR, Cy Fi, Krisz 
Klink, SailorGloom, phreakocious, Rene, Ryan Gatesman, Electric, 
Sigma Star, DJ9/o27, Robb Wise & thad Timothy, Zebbler Encanti 
Experience, Great Scott, The Crystal Method, Elite Force, Miss 

DJ Jackalope, Mitch Mitchem, Project Mayhem, Zack Fasel, Keith 
Myers, VJ Q. Alba, Alba T. Ross, kampf, NOP ! 


Grifter, Bluknight and Banshee for all the help with the Skytalks 
Stealth and his team for the EFF fundraiser shooting contest 
ASTcell and Hackerphotos.com thanks for the pics! 


Groups like the all the DEF CON Groups worldwide, 303, 
SecurityTribe, Hektik, 23.org, Phenoelit, Ninjas, DDTEK, Vegas 2.0, 
EFF 


Thanks to Jason Scott and his team for their hard work on the DEF 
CON Documentary, both pre-con and during the conference. In 
addition, thanks to all the attendees and staff that took time from 
their busy schedules to participate. Thanks to Jericho/Dis for his 
help on the DC Recognize Awards. 


Iwouldalllike to thank those who have taken their time and money 
to take a risk and run a contest, organize a hacking village, submit 

a talk, or perform music, and last but not least the attendees for 
showing up for 20 years. 


Special remembrance to all the brothers and sisters who cannot 
be with us this year. The good memories and the knowledge you 
gave us will live on within us all and be shared with many, you will 
continue to be missed. 


-The Dark Tangent 
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